Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM Quick Start and Deployment Guide > Collect log data > Troubleshoot LEM syslog error messages

Troubleshoot LEM syslog error messages

Created by Caroline Juszczak, last modified by Caroline Juszczak on Aug 05, 2016

Views: 107 Votes: 0 Revisions: 1

If a No Device Found error message displays in the widget, make sure you configured the device to send logs to the correct IP address. See Troubleshooting Unmatched Data or Internal New Tool Data events in your LEM console for troubleshooting steps.

LEM Console does not display syslog data

Verify that your devices are configured to forward syslog data to the LEM virtual appliance IP address. If your appliance cannot receive logs, your device may not be supported.

If your devices are configured correctly and your LEM appliance is still not receiving syslog data, identify the facilities that are collecting log data. When you complete this process, configure the appropriate connector from the facility to the log device so Log & Event Manager can normalize and monitor this information in the LEM manager.

Identify your syslog data facilities containing log data

Verify that Log & Event Manager is receiving the raw data from your syslog devices.

See your hypervisor documentation for information about using the virtual console.

  1. Open a command line.

    In VMware, select SolarWinds Log & Event Manager and then click the Console tab.

    In HyperVisor, click Action > Connect to display the Console view.

    In PuTTY: 

    1. Click Session.
    2. In the Host Name field, enter the IP address or hostname of your LEM appliance.
    3. In the Port field, enter 32022 or 22.
    4. Click Open.
    5. At the login as: prompt, enter cmc, and then press Enter.
    6. At the password prompt, enter your password, and then press Enter.

      The default password is password.

  2. At the cmc> prompt, enter Appliance.

    See "CMC Commands" in the LEM User Guide for a list of all supported commands.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0D0/010/lem_qsg_putty_log_in4_406x244.png

  3. At the cmc::acm# prompt, enter checklogs and press Enter.

    The appliance displays all facilities receiving logs from syslog devices, such as firewalls, routers, and switches.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0D0/010/lem_qsg_available_log_files_408x304.png

    In this example, 1, 12, and 18 are active syslog facilities because they contain stored log data. Facilities 13, 15, 16, and 17 are inactive because their syslog log files are empty.

  4. Match a facility with a monitored device.
    1. Choose a facility number and record the local number (such as local2) for a future step.
    2. Enter your chosen facility number (for example, 14 for local2) and press Enter.
    3. Enter b or E to view the beginning or end of the log file, respectively, and press Enter.
    4. Enter the number of lines to display on your screen, and then press Enter.

      Pressing Enter defaults the output to 500 lines.

    5. Press Enter again.

      The raw data displays on your screen.

    6. Review and match the data to a monitored syslog device in your network.
  5. Repeat steps 3 and 4 in this section to match additional facilities with log data to a monitored syslog device in your network.

Configure a connector from the facility to the device

The following table maps each syslog facility to the file name in the LEM manager. The connectors defined in LEM manager read these logs to normalize the Log & Event Monitor events.

The hardened operating system will prevent you to access the file system.

Syslog Facility Log File Path
local0 /var/log/local0.log
local1 /var/log/local1.log
local2 /var/log/local2.log
local3 /var/log/local3.log
local4 /var/log/local4.log
local5 /var/log/local5.log
local6 /var/log/local6.log
local7 /var/log/local7.log

After you verify that data is received from a device, manually enable the log connector that supports the device. The connector maps events from the monitored Windows system event log to a LEM normalized event.

  1. Match the facility of your monitored device with the corresponding log file path.
  2. Open the LEM console and click Manage > Appliances.
  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0D0/010/Button-Gear_16x13.png next to the appliance name and select Connectors.
  4. In the Refined Results pane search field, enter the brand name of the monitored device and press Enter.

    If your device does not display in the list, contact Customer Sales (for an evaluation license) or Technical Support (for a production license) for assistance with unsupported devices.

  5. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0D0/010/Button-Gear_16x13.png next to your device and select New.
  6. In the Log File field, make sure the localx portion of the path matches the facility number you configured on your device or the facility you recorded in the previous procedure.

    For example, if your recorded facility is local2, enter /var/log/local2.log in the field.

  7. Verify that the remaining fields and selections are correct, and then click Save.

    The connector displays in the Connectors grid with a gray status icon.

  8. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0D0/010/Button-Gear_16x13.png next to the connector and select Start.

    When the status icon turns green, the LEM connector is configured correctly.

View the data from the device

After you configure a connector to the facility, verify that the LEM appliance is receiving log data from the device.

You may need to authenticate to the device to generate data, as some devices do not generate a continuous stream of data.

  1. Click the Monitor view in the LEM console.
  2. In the Filters pane, expand Overview and click All events.
  3. Watch for new events that appear in the grid with the device IP address in the DetectionIP column.

    When new events display with your device IP address, the device is sending log data to the LEM appliance.

 

 
Last modified
09:15, 5 Aug 2016

Tags

Classifications

Public