Submit a ticketCall us

WebinarUpcoming Webinar: Should I Move My Database to the Cloud?

So you’ve been running an on-premises SQL Server® for a while now. Maybe you’ve moved it from bare metal to a VM, and have seen some positive benefits. But, do you want to see more? If you said “YES!”, then this session is for you, as James Serra will review the many benefits that can be gained by moving your on-prem SQL Server to an Azure® VM (IaaS). He’ll also talk about the many hybrid approaches, so you can gradually move to the cloud. If you are interested in cost savings, additional features, ease of use, quick scaling, improved reliability, and ending the days of upgrading hardware, this is the session for you.

Register now.

Home > Success Center > Log & Event Manager (LEM) > Log & Event Manager (LEM) Documentation > Log and Event Manager Getting Started Guide > Configure the audit policy on your device to send events to LEM

Configure the audit policy on your device to send events to LEM

LEM Getting Started Home

Updated: December 15, 2017

After you install LEM and determine the types of log files you want to monitor, ensure that your devices are configured to send log data to LEM. Unlike SolarWinds Orion products such as NPM and SAM, LEM does not automatically scan your environment for network devices and systems and start collecting and analyzing log files. With LEM, you must be proactive and configure identified devices and systems to send log data of interest, and then to add those devices to LEM.

If you are seeing so much data coming into LEM that it seems meaningless, or you are not seeing data at all, then ensure you have:

  1. Determined which logs are important for you to monitor.
  2. Verified that the devices and systems have been configured to send that data.

For example, the following graphic shows a section of a sample audit policy for a workstation. If you are expecting Plug and Play events to be written to the log file, and it is set to No Auditing, then those events are not sent to LEM.


See Audit Policies and Best Practices for LEM for more information on Windows® audit policies.

About syslog local facilities

When you configure the events and logging level on a syslog device, you may have the option to specify the local facility that receives the log data. While all syslog devices have default facilities defined for logs, the option to specify the local facility depends on the device. Check with the device vendor for information on how to configure your network device. Once configured, make note of the local facility because you need it when you configure a connector to read the applicable syslog file.

If you are unsure of which local facility is receiving log data, check your device. The following illustration shows that local facility 4 is receiving traffic.


See Understanding syslog in LEM for more information on configuring your syslog device to send log data to LEM.


Previous: Install and configure LEM Next up: Verify that events are being sent to LEM
Last modified