Sizing Your SolarWinds Log and Event Manager Appliance

Monalytic provides a simple overview on right sizing your SolarWinds Log and Event Manager implementation to best fit your environment.

Existing Environment Review

  • Number of Security Devices:  _____
  • Number of Network Devices:  _____
  • Number of Workstations:  _____
  • Number of Servers:  _____
  • Note – SolarWinds Log and Event Manager (LEM) has agents available for Windows, Linux, AIX, HPUX, Solaris, and Mac OS X.

Overview of SolarWinds Log and Event Manager Licensing

  • Universal Nodes – anything that feeds LEM event data via Syslog.
  • Workstation/Agent Nodes – any node that can accept a LEM agent.

Conveying this information to an authorized SolarWinds reseller will allow them to quote the license that’s right for your environment. Tiered licenses are issued in the following formats “LEM100” and “LWE250 for LEM100”. These licenses can be read as being able to accommodate 100 Universal Nodes and 250 Workstation/Agent Nodes.


Licensing is acknowledged as being in-use on the appliance based on each unique IP address that sends it data. Deployed agents have logic built in to accommodate for dynamic IP addressing (DHCP) but other devices that do not operate an agent have the potential to consume more than one license if/when their address changes. These can be pruned from the LEM appliance manually or automatically if needed. To setup automatic recycling within the appliance you would check the box illustrated below and set a frequency.

Deployment Tiers and Recommendations

SolarWinds has three general tiers when it comes to sizing (Small, Medium, or Large).

Image Source

This is where it gets a bit interesting; taking the data obtained from the “Existing Environment Review” you will have to determine a deployment level to go with. All monitored systems have the ability to adjust the verbosity of logging from low level basic events to highly verbose “catch everything” logging. Unless you perform sampling of each device and define time study statistical calculation it’s difficult to say (for example) that 100 devices will generate five million events per day. You could essentially have 100 devices with the verbosity turned all the way up or 100 with it turned down, or most likely a mix of both. Generally, the column on the right of the table is of most value. Start with the raw number of endpoints and scale the appliance to the bracket that best fits; always leaning on the heavier resource side. For example, if you have 5x security devices, 250x network devices, and 151x servers it might run on the “small” tier deployment but the appliance would be very stressed. For that scenario we would suggest moving to the “medium” tier of the matrix and starting with something like 6 cores, 16GB RAM, and 1TB storage.

Once the appliance is in operation and you have the ability to analyze the actual log ingest rate adjusting resources becomes a bit easier. Simply run an nDepth report for the past hour, multiply the total events by 24 to get a per hour log count and then refer to the matrix below as guide:

Best Practices and Areas to Watch Out For

  • Always statically allocate/reserve resources on your virtual environment for the LEM appliance.
  • The faster the storage the better! RAID-10 and/or solid-state disks (SSDs) are highly recommended.
  • If/when performance issues arise; check your memory/RAM usage. Due to the real-time nature of LEM it runs very heavily on memory consumption.
  • There is a 2TB storage limit for event data retention. The appliance will continue to grow until it reaches this limit and then use circular logging methods, dropping the oldest data to make room for new events.

Monalytic is an authorized SolarWinds reseller. For more information on product licensing, maintenance renewals, training, or professional services, please contact us at


Suggested Post – How to Deploy SolarWinds Log and Event Manager Agent via Group Policy

Back to News