Configure your devices to send events to SEM

After you install SEM and determine the types of log files to monitor, ensure your devices are configured to send log data to SEM. SEM does not automatically scan your environment for network devices and systems and start collecting and analyzing log files. You must configure identified devices and systems to send log data of interest, and then add those devices to SEM.

If you are seeing so much data coming into SEM that it seems meaningless, or you are not seeing data at all, then ensure you have:

  1. Determined which logs are important for you to monitor.
  2. Verified that the devices and systems have been configured to send that data.

For example, the following graphic shows a section of a sample audit policy for a workstation. If you are expecting Plug and Play events to be written to the log file and the policy is set to No Auditing, then those events are not sent to SEM.

See Audit Policies and Best Practices for SEM for more information on Windows audit policies.

About syslog local facilities

When you configure the events and logging level on a syslog device, you may have the option to specify the local facility that receives the log data. While all syslog devices have default facilities defined for logs, the option to specify the local facility depends on the device. Check with the device vendor for information on how to configure your network device. Make note of the local facility because you need it when you configure a connector to read the applicable syslog file. If you are unsure of which local facility is receiving log data, check your device.

See Understanding syslog in SEM for more information on configuring your syslog device to send log data to SEM.