Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM with Linux x64 Agents show no logs

LEM with Linux x64 Agents show no logs

Updated November 2, 2017

Overview

The Linux 64 agent is installed but no logs are being returned to LEM. Across several servers ( CentOS 8 x64 /  Ubuntu 15 x64 /  Debian x64 ) only Apache logs are being seen in LEM.

For example, PAM connector configured for /var/log/auth.log. Valid information in auth.log is being written to it but not showing in the LEM Web console. Connectors were part of profile, removed and tried individually with the same result. Connection is being established between the Manager and Agent. You can see stop/start in agent logs as well as in Management but no further logging information.

The agent is communicating and the agent is parsing some logs and sending some data to LEM. The remaining data isn't parsing locally. Perhaps the log format is the issue, however you have no unmatched data warnings.

 

Environment

  • Any Linux Disto with x64 bit kernel
  • LEM 6.3.1

Cause 

It is likely you have logging settings with a nonstandard header format.

 

For example (line from auth.log.2):
Jun 5 06:25:04 cas2 CRON[5898]: pam_unix(cron:session): session closed for user root
-> The log line is ignored (blackhole), but when the header timestamp is changed to a random Syslog time:
1234567890123 cas2 CRON[5898]: pam_unix(cron:session): session closed for user root
-> Logline is correctly recognized as UserLogOff event

Resolution

1. Change logging to use syslog format? (There are logs with a non-standard header time stamp in access.log and error.log too) Once timestamp will be correctly set, logs should be parsed to alerts correctly or at least there should be some "New Tool Data"

This article explains little bit about syslogging:
https://help.papertrailapp.com/kb/co...x-and-bsdos-x/
but if you do a search for distribution specifics in Google you will find the information/documentation.
In general, syslog should automatically use the standard logging format.

 

 

Last modified

Tags

Classifications

Public