Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

 

 

 

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Additional LEM Configuration and Troubleshooting Information > Troubleshooting 'Unmatched Data' or 'Internal New Tool Data' events in the LEM Console

Troubleshooting 'Unmatched Data' or 'Internal New Tool Data' events in the LEM Console

Periodically, unmatched data or internal new connector data alerts may appear in your LEM console, which indicates that one or more of the connectors on your appliance cannot properly normalize the associated log data. This section contains troubleshooting procedures for syslog and agent devices.

To troubleshoot these alerts:

  1. Ensure that your syslog devices are sending logs to a syslog facility on your LEM appliance.
  2. Determine which devices are logging to each facility, and whether those devices conflict with each another.
  3. Ensure that your LEM agent connectors, such as Windows-based and database connectors are running correctly.
  4. Apply the latest connector update package.
  5. Generate a syslog sample from the LEM appliance, and then open a ticket with SolarWinds Technical Support for further assistance.

Troubleshoot syslog devices

Complete the following troubleshooting procedures for devices that send logs to a syslog facility on your LEM appliance.

  1. Verify the connector and device are pointed at the same local facility.
  2. Check the configuration on your device to determine what local facility it is logging to on your LEM appliance. In some cases, you cannot modify this setting.

    For additional information, search for your device in the Connectors section of the SolarWinds Success Center. Except for CheckPoint firewall, the LEM receives UDP syslog data on port 514.

  3. Verify that the connector is pointed to the same logging facility as the device.
    1. Open your LEM console and log in to your LEM appliance as an administrator.
    2. Click Manage > Appliances.
    3. Locate your LEM appliance in the grid.
    4. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/160/Button-Gear_17x14.png and select Connectors.
    5. Locate the connector in the list.

      Use the search box at the top of the Refine Results pane or select Configured.

    6. Select the configured connector and view its details. Verify the Log File value matches the output value in the device configuration.
  4. If the device and connector configurations do not match, point the connector to the appropriate location.
    1. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/160/Button-Gear_17x14.png and select Stop.
    2. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/160/Button-Gear_17x14.png and select Edit.
    3. Change the Log File value so it matches your device.
    4. Click Save.
    5. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/160/Button-Gear_17x14.png and select Start.

Click the video File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/160/Button_videoCamera_18x12.png icon to view additional troubleshooting information.

Troubleshoot device logging

Certain devices (including Cisco devices) have similar logging formats that cause connector conflicts when logging to the same facility on your LEM appliance. Use the following procedure and table to determine what devices are logging to each facility, and whether those devices conflict with one another.

  1. Connect to your LEM appliance using a VMware console view or an SSH client (such as PuTTY).

    If you are connecting to your appliance through SSH, log in as the CMC user, and provide the appropriate password.

    If you're connecting to your appliance using VMware, select Advanced Configuration on the main Console screen, and then press Enter to open a command prompt.

  2. At the cmc> prompt, enter appliance.
  3. At the cmc::acm# prompt, enter checklogs.
  4. Enter an item number to select and view a local facility.
  5. To view the device sending the event, open the log facility.

    The EPOCH timestamp (1427722392000) starts each event, which is the date and time in Unix numeric format. The device sending the event (such as 192.168.2.251) follows. You will typically see ProviderSID (ASA-1-106021), which is similar to an Event ID.

  6. If two or more devices are logging to the same facility, see the Conflicting devices to determine whether those devices conflict with each other.

Conflicting devices

Different firewall types should log to different facilities. For example, Cisco firewalls and Palo Alto should log to different facilities. However, both devices should log to their own facilities. Ensure that the devices in each of these groups are logging to distinct local facilities on your LEM appliance. For example, if a device in Group 1 is logging to local1, make sure a device in Group 2 is not also logging to that facility.

SolarWinds recommends splitting the devices and vendors to different facilities. Having all devices pointed at one facility with multiple connectors reading that facility will impact your LEM performance.

Group Devices
Group 1 Cisco ASA
  Cisco IOS
  Cisco PIX
Group 2 Cisco Catalyst (CatOS)
Group 3 Cisco Wireless LAN Controller (WLC)
Group 4 Cisco Nexus
Group 5 Cisco VPN
Group 6 Dell PowerConnect

Troubleshoot agent devices and connectors

Complete the following procedure to troubleshoot LEM agent connectors, such as Windows-based and database connectors.

  1. Verify the connector is pointing to the appropriate folder/event log.
  2. Check the configuration on the host computer to determine which folder or event log it's logging in to.

    In some cases, you cannot modify this setting. For additional information, search the SolarWinds Success Center for your device.

  3. Verify that the connector is pointed to the same folder/event log as the device:
    1. Open your LEM console and log in to your LEM appliance as an administrator.
    2. Click Manage > Nodes.
    3. Locate the LEM agent for the host computer.
    4. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/160/Button-Gear_17x14.png and select Connectors.
    5. Locate the connector in the list.

      Use the search box in the Refine Results pane or select Configured.

    6. Select the configured connector and view its details. Ensure the Log File value matches the output value in the host computer configuration.
  4. If the host computer and connector configurations do not match, point the connector to the appropriate location. point the connector to the appropriate location:
    1. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/160/Button-Gear_17x14.png and select Stop.
    2. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/160/Button-Gear_17x14.png and select Edit.
    3. Change the Log File value so it matches the host computer.
    4. Click Save.
    5. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/160/Button-Gear_17x14.png and select Start.

Apply the latest connector update package

If you completed the procedures in this section and you still see the unmatched data or internal new connector data alerts, apply the latest connector package before you contact Technical Support. For instructions on how to apply the latest connector update package, see Apply a LEM connector update package.

Contact SolarWinds Technical Support

If you are unable to resolve your issue using this article, open a ticket with SolarWinds Technical Support for further assistance. Be prepared to provide the following information to a support technician: 

  • A copy of the LEM report (in Crystal Reports format) entitled Tool Maintenance by Alias for the last 24 hours or the period during that the unmatched data was detected.
  • (Syslog devices only). A sample of the logs currently sent to LEM for the affected connector. For more information, see Export log files using the CMC exportsyslog command.
  • (Windows connectors only). A copy of the entire event log in English and EVTX formats.
  • (Database connectors only). A sample of the event table containing the unread events and the details about these events.
  • (Database connectors only). The database schema (if available).

Generate a syslog sample from the LEM appliance

  1. Connect to your LEM appliance using a VMware console view or an SSH client (such as PuTTY).

    If you are connecting to your appliance through SSH, log in as the CMC user, and provide the appropriate password.

    If you're connecting to your appliance using VMware, select Advanced Configuration on the main Console screen, and then press Enter to open a command prompt.

  2. At the cmc> prompt, enter appliance.
  3. At the cmc::acm# prompt, enter exportsyslog.
  4. Enter an item number to select a local facility to export.
  5. Repeat the previous step to specify more than one facility.
  6. Enter q to proceed.
  7. Follow the on-screen instructions to complete the export.

 

Last modified
16:24, 23 Mar 2017

Tags

Classifications

Public