Documentation forSecurity Event Manager

Troubleshoot SEM agents and network devices

If you do not see the events you expected to see on the SEM Console, use the following procedures to troubleshoot your SEM Agents and network devices.

Determine if SEM is receiving data from a device

SolarWinds recommends starting with this task before moving on to the other troubleshooting tasks.

  1. Open the CMD command line.

    See Log in to the SEM CMC command line interface for directions.

  2. At the cmc> prompt, enter:

    appliance

  3. At the cmc::appliance> prompt, type:

    checklogs

  4. To select a local facility to view, enter an item number.

  5. Search for the specific device logging to this facility (such as the product name, device name, or IP address).

See also:

Troubleshoot devices not logging to a log file

Perform the following procedure for network devices that do not show data on the SEM appliance.

  1. Ensure that the device is configured to log to the SEM appliance.

  2. Ensure that the device is logging to the correct IP address for the SEM appliance.

  3. If the device sends SNMP traps to the SEM appliance, ensure that the SEM Manager is configured to accept SNMP traps.

    See Enable SEM to receive SNMP traps for details.

  4. Ensure that a firewall is not blocking data communications between the device and the SEM appliance.

Troubleshoot devices logging to a log file

Perform the following procedure for network devices that display data in SEM.

  1. Ensure that the appropriate connector is configured on the SEM appliance.

  2. Ensure that your configured connector is running.

  3. If the connector is running, delete and recreate the connector instance.

Troubleshoot a SEM Agent

To begin, ensure that the SEM Agent is connected to the SEM appliance:

  1. On the SEM Console, navigate to Configure > Nodes.

  2. Under Refine Results, expand the type group, and then select the Agent check box.
  3. In the Status column, note the status icon for the SEM Agent:

See also:

Troubleshoot a missing SEM Agent

  1. Verify that the SEM Agent is installed on the host computer.

  2. Verify that the SEM Agent service is running on the host computer.

Troubleshoot a disconnected SEM Agent

  1. On the host computer, verify that the SEM Agent Service is running.

    If the service is not running, start the service.

    If the service is running, go to the next step.

  2. On the host computer, ping the SEM VM or appliance by hostname.

    If the ping is successful, clear the SEM Agent certificate.

    If the ping is not successful, go to the next step.

  3. On the host computer, ping the SEM VM or appliance by IP address.

    If the ping is successful, the SEM Agent is connected. See Troubleshoot a connected SEM Agent" on the next page.

    If the ping is not successful:

    1. Resolve any network or firewall issues between the SEM Agent and the SEM VM/appliance.

    2. Change your DNS settings so the SEM Agent computer can resolve the SEM appliance hostname (recommended).

    3. Edit or delete the spop.conf file (based on your system bit type) so that the SEM Agent calls the SEM VM or appliance by its IP address instead of its hostname.

      See Edit or delete the spop.conf file " on the next page.

Edit or delete the spop.conf file

Perform the following procedure so the SEM Agent calls the SEM appliance by its IP address (Windows systems only).

  1. Stop the SolarWinds Security Event Manager Agent service.

  2. If you are running a 32-bit Windows system, delete the spop folder. Do not delete the ContegoSPOP folder.

    The folder is located at:

    C:\Windows\System32\ContegoSPOP\spop

    If you are running a 64-bit Windows system:

    1. Open the following directory:

      C:\Windows\SysWOW64\ContegoSPOP\spop

    2. Open the spop.conf file in a text editor.

    3. Replace the ManagerAddress value with the SEM appliance IP address.

    4. Save and close the file.

  3. Start the SolarWinds Security Event Manager Agent service.

Troubleshoot a connected SEM Agent

  1. Verify that you configured the appropriate connectors on the SEM Agent.

    For example, the SEM agent for Windows runs the connectors for the Windows Application and Security Logs by default. However, you must configure the connector for the DNS server role.

  2. Verify that all configured connectors are running properly.

  3. If all configured connectors are running properly, delete and recreate the non-working connectors.

Contact SolarWinds Customer Support

If events from your network device do not appear on the SEM Console after completing these procedures, send a screen shot of the device logging configuration screens and the appropriate system files to SolarWinds Customer Support.

If you are running a 32-bit Windows system, send the following files to SolarWinds Customer Support:

  • C:\Windows\System32\ContegoSPOP\spoplog.txt (the most recent version)
  • C:\Windows\ System32\ContegoSPOP\tools\readerState.xml

If you are running a 64-bit Windows system, send the following files to SolarWinds Customer Support:

  • C:\Windows\SysWOW64\ContegoSPOP\spoplog.txt (the most recent version)
  • C:\Windows\SysWOW64\ContegoSPOP\tools\readerState.xml