Submit a ticketCall us

ebook60.pngHow to be a Cisco® ASA ace

Our eBook, Thou Shalt Not Pass…I Think?! can help you overcome the challenges of monitoring and managing Cisco ASA firewalls. This eBook is a great read if you’ve been frustrated with monitoring firewalls, managing ACL configs, and troubleshooting VPN connections.

Get your free eBook.

Home > Success Center > Log & Event Manager (LEM) > LEM with Linux x64 Agents show no logs

LEM with Linux x64 Agents show no logs

Updated November 2, 2017

Overview

The Linux 64 agent is installed but no logs are being returned to LEM. Across several servers ( CentOS 8 x64 /  Ubuntu 15 x64 /  Debian x64 ) only Apache logs are being seen in LEM.

For example, PAM connector configured for /var/log/auth.log. Valid information in auth.log is being written to it but not showing in the LEM Web console. Connectors were part of profile, removed and tried individually with the same result. Connection is being established between the Manager and Agent. You can see stop/start in agent logs as well as in Management but no further logging information.

The agent is communicating and the agent is parsing some logs and sending some data to LEM. The remaining data isn't parsing locally. Perhaps the log format is the issue, however you have no unmatched data warnings.

 

Environment

  • Any Linux Disto with x64 bit kernel
  • LEM 6.3.1

Cause 

It is likely you have logging settings with a nonstandard header format.

 

For example (line from auth.log.2):
Jun 5 06:25:04 cas2 CRON[5898]: pam_unix(cron:session): session closed for user root
-> The log line is ignored (blackhole), but when the header timestamp is changed to a random Syslog time:
1234567890123 cas2 CRON[5898]: pam_unix(cron:session): session closed for user root
-> Logline is correctly recognized as UserLogOff event

Resolution

1. Change logging to use syslog format? (There are logs with a non-standard header time stamp in access.log and error.log too) Once timestamp will be correctly set, logs should be parsed to alerts correctly or at least there should be some "New Tool Data"

This article explains little bit about syslogging:
https://help.papertrailapp.com/kb/co...x-and-bsdos-x/
but if you do a search for distribution specifics in Google you will find the information/documentation.
In general, syslog should automatically use the standard logging format.

 

 

Last modified

Tags

Classifications

Public