Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Additional LEM Configuration and Troubleshooting Information > Enabling LEM to Track Events

Enabling LEM to Track Events

You can enable LEM to track buildup and tear-down events that occur in your network.

To monitor accepted traffic, use the log target in your accepted ACLs instead of the buildup logging. This lets you control what accepted traffic will generate an alert. To monitor the information about the actual NAT, consider the event load this will create. Plan a test phase where you turn it on and determine if it is valuable to you for further investigation.

If you need to monitor unmodified log data (versus the normalized data), consider the nDepth original log message store. Remember that this process requires additional disk space.

Also, consider whether you need both buildups and tear-downs, or just buildup messages. The tear-down NAT messages include the same information as the built messages, along with some duration and size information that may or may not be useful. Colleges and universities that use the built messages do not rely on the tear-down messages. They only need to know a connection was established for verification, analysis, and correlation.

Be sure to check your syslog data to determine and enable only those buildup or teardown events are of use.

Tracking Buildup Events

LEM is preconfigured to capture Cisco events 302003, 302009, and 603108.

You can configure LEM to capture Cisco firewall buildup events as well. The primary buildup event to use for TCP tracking is 302013. Other buildup events include 302015, 302017, 302020, 302303, 305009, 305011, and 609011. Check the description of these events in the Cisco System Log Messages Guide located on the Cisco website to ensure you need to capture these events.

Tracking tear-down Events

Out of the box, LEM captures Cisco event 603019.

You can also enable LEM to capture Cisco firewall tear-down NAT events. The tea-rdown sibling to buildup even 302013 is 302014. Other events include 302016, 302018, 302021, 302304, 305010, 305012, 617100, and 609002. You can see description of these events in the Cisco System Log Messages Guide to make sure they are ones you want to capture.

Enabling LEM to track buildup and teardown events

  1. Ensure your firewalls are configured to log to LEM and that the appropriate LEM connector is configured to monitor for your firewall data.
  2. Access the firewalls that contain the buildup and tear-down messages you need to monitor and adjust the severity level of those events from 6 (the default) to 0.

    For more information, see the Changing the Severity Level of a Syslog Message section in the Monitoring the Security Appliance page on the Cisco site.

Last modified
16:34, 27 Jan 2017

Tags

Classifications

Public