Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Troubleshoot syslog error messages in LEM

Troubleshoot syslog error messages in LEM

Updated: September 15, 2017

If a No Device Found error message displays in the widget, make sure that you configured the device to send logs to the correct IP address. See Troubleshoot alerts in the LEM console for troubleshooting steps.

LEM console does not display syslog data

Verify that your devices are configured to forward syslog data to the LEM virtual appliance IP address. If your appliance cannot receive logs, your device may not be supported.

If your devices are configured correctly and your LEM appliance is still not receiving syslog data, identify the facilities that are collecting log data. When you complete this process, configure the appropriate connector from the facility to the log device so Log & Event Manager can normalize and monitor this information in the LEM Manager.

Identify your syslog data facilities containing log data

Verify that Log & Event Manager is receiving the raw data from your syslog devices.

See your hypervisor documentation for information about using the virtual console.

  1. Open the CMC command line. See Log in to the LEM CMC command line interface for steps.

  2. At the cmc> prompt, type Appliance.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1360-Troubleshoot_syslog_error_messages_in_LEM/lem_qsg_putty_log_in4_406x244.png

  3. At the cmc::appliance> prompt, type checklogs and press Enter.

    The appliance displays all facilities receiving logs from syslog devices, such as firewalls, routers, and switches.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1360-Troubleshoot_syslog_error_messages_in_LEM/lem_qsg_available_log_files_408x304.png

    In this example, 1, 12, and 18 are active syslog facilities because they contain stored log data. Facilities 13, 15, 16, and 17 are inactive because their syslog log files are empty.

  4. Match a facility with a monitored device.
    1. Choose a facility number and record the local number (such as local2) for a future step.

    2. Enter your chosen facility number (for example, 14 for local2) and press Enter.

    3. Enter b or E to view the beginning or end of the log file, respectively, and press Enter.

    4. Enter the number of lines to display on your screen, and then press Enter.

      Pressing Enter defaults the output to 500 lines.

    5. Press Enter again.

      The raw data displays on your screen.

    6. Review and match the data to a monitored syslog device in your network.

  5. Repeat steps 3 and 4 in this section to match additional facilities with log data to a monitored syslog device in your network.

Configure a connector from the facility to the device

The following table maps each syslog facility to the file name in the LEM Manager. The connectors defined in LEM Manager read these logs to normalize the Log & Event Monitor events.

The hardened operating system will prevent you to access the file system.

Syslog Facility Log File Path
local0 /var/log/local0.log
local1 /var/log/local1.log
local2 /var/log/local2.log
local3 /var/log/local3.log
local4 /var/log/local4.log
local5 /var/log/local5.log
local6 /var/log/local6.log
local7 /var/log/local7.log

After you verify that data is received from a device, manually enable the log connector that supports the device. The connector maps events from the monitored Windows system event log to a LEM normalized event.

  1. Match the facility of your monitored device with the corresponding log file path.
  2. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  3. Click Manage > Appliances.

  4. Click button-gear.png next to the appliance name and select Connectors.

  5. In the Refined Results pane search field, enter the brand name of the monitored device and press Enter.

    If your device does not display in the list, contact Customer Sales (for an evaluation license) or Technical Support (for a production license) for assistance with unsupported devices.

  6. Click button-gear.png next to your device and select New.

  7. In the Log File field, make sure the localx portion of the path matches the facility number you configured on your device or the facility you recorded in the previous procedure.

    For example, if your recorded facility is local2, enter /var/log/local2.log in the field.

  8. Verify that the remaining fields and selections are correct, and then click Save.

    The connector displays in the Connectors grid with a gray status icon.

  9. Click button-gear.png next to the connector and select Start.

    When the status icon turns green, the LEM connector is configured correctly.

View the data from the device

After you configure a connector to the facility, verify that the LEM appliance is receiving log data from the device.

You may need to authenticate to the device to generate data, as some devices do not generate a continuous stream of data.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Monitor.

  3. In the Filters pane, expand Overview and click All events.

  4. Watch for new events that appear in the grid with the device IP address in the DetectionIP column.

    When new events display with your device IP address, the device is sending log data to the LEM appliance.

Last modified

Tags

Classifications

Public