Sensor and Analyzer are not really LEM terms. But if you look at the architecture, we are saying you can place a Syslog server in a remote location to capture the raw logs from the devices in that location and use the LEM Agent installed on it to normalized the logs and sent it to the central LEM in a compressed & encrypted manner. This represents a tremendous savings in bandwidth as opposed to send the syslog from the devices in a remote location directly to a central LEM. All the analysis (correlation rules) is done on the central LEM server
↧