Hi Jhynds....Thanks for the explanation. Understood.
However, there needs to be a switch to disable the auto add nodes.
Reporting the nodes is good, but let the admin decide what nodes to add.
In my case, I have a Cisco Firesight Management center feeding one of the syslogs to the LEM.
Events from this centralized management center can contain events reported by one/more of the many next gen firewalls it manages.
These firewalls are not sending logs directly, but some events are coming/through the Firesight, and then to the LEM.
(these firewalls don't have sys-logging to a syslog server configured, only sending to the local log buffer)
As centralized management tools are becoming more common now, this is going to be an issue.