Looking at SolarWinds LEM as a SIEM tool. Several of my managers are questioning the scalability for a global deployment. I am having difficulty providing adequate information as to its distributed architecture and the ability to access the raw (and/or) normalized data directly so that I can export the data into another analytical engine. Any help you have would be greatly appreciated.
After using LEM for a few years, i can't recommend it. If your environment is very large or you are pulling a lot of logs. The threat detect doesn't work well either. I had everything setup up for a simple port scan and had reporting turned on. I couldn't get it to flag the event. This was on one of my smaller networks of 500-600 devices and had issues with it going 1-2 times a month. Support was also no help had a ticket in with them for months on getting McAfee ePo reporting, still wasn't pulling the logs by the time we switched to LogRhythm. LogRhythm took about 5 minutes to get the logs pulling from ePo. That is my 2 cent on this product.
If you are looking at scaling LEM for a global deployment it's really going to depend on how many systems you plan to manage and even more important is how many events you are planning to process on any given LEM appliance.
You can install LEM appliances at different locations and then manage them all via one interface.
As far as exporting the data into other systems, you options there are pretty limited. LEM unfortunately doesn't provide many options as far as exporting data is concerned.
I think your best bet would be contacting SolarWinds and working with one of their Sales Engineers or even posting some of your questions to the LEM section of the Thwack.com forums. I know that the LEM product manager participates daily in the forums as well as many other LEM users such as myself.
I hope this helps!