For setting up log management (both Syslogs and Windows Event Logs) at remote sites, what is the best way to go when using LEM?
- Kiwi Syslog Server: have both Syslogs (from network devices, UPSs, etc.) and Windows Event Logs (converted to Syslogs with Log Forwarder for Windows) sent to a Kiwi Syslog server at each site, which then filters, compresses and sends logs over the WAN to one LEM Management Server/Virtual Appliance.
- nDepth Servers: have Syslogs and Windows Event Logs sent over the WAN to nDepth VMs (one for each site), which are then referenced by one LEM Management Server/Virtual Appliance.
- Virtual Appliances: have Syslogs and Windows Event Logs sent over the WAN to multiple LEM Management Servers/Virtual Appliances.
- Combination: send Syslogs and Windows Event Logs sent to on-site Kiwi Syslog Server, which forwards to nDepth Servers referenced by multiple LEM Management Servers/Virtual Appliances.
Questions about the above:
- Licensing: When Windows Event Logs are converted to Syslogs with Log Forwarder, are those nodes then counted as Workstation or Universal Licenses?
- Database: When required to retain logs for a year, is it best to use a separate nDepth server from your Management Server(s)?
- Performance: Storage aside, is it best to have multiple Management Servers for performance reasons?