Documentation forSecurity Event Manager

Troubleshoot network and syslog device logging in SEM

If a No Device Found error message appears in the widget, make sure that you configured the device to send logs to the correct IP address. See Troubleshoot alerts on the SEM Console for troubleshooting steps.

SEM console does not display syslog data

Verify that your devices are configured to forward syslog data to the SEM virtual appliance IP address. If your appliance cannot receive logs, your device may not be supported.

If your devices are configured correctly and your SEM appliance is still not receiving syslog data, identify the facilities that are collecting log data. When you complete this process, configure the appropriate connector from the facility to the log device so Security Event Manager can normalize and monitor this information in the SEM Manager.

Identify your syslog data facilities containing log data

Verify that Security Event Manager is receiving the raw data from your syslog devices.

See your hypervisor documentation for information about using the virtual console.

  1. Open the CMC command line.

    See Log in to the SEM CMC command line interface for directions.

  2. At the cmc> prompt, type Appliance.

  3. At the cmc::appliance> prompt, type checklogs and press Enter.

    The appliance displays all facilities receiving logs from syslog devices, such as firewalls, routers, and switches.

    In this example, 1, 12, and 18 are active syslog facilities because they contain stored log data. Facilities 13, 15, 16, and 17 are inactive because their syslog log files are empty.

  4. Match a facility with a monitored device.

    1. Choose a facility number and record the local number (such as local2) for a future step.

    2. Enter your chosen facility number (for example, 14 for local2), and then press Enter.

    3. Enter b or E to view the beginning or end of the log file, respectively, and press Enter.

    4. Enter the number of lines to display on your screen, and then press Enter.

      Pressing Enter defaults the output to 500 lines.

    5. Press Enter again.

      The raw data appears on your screen.

    6. Review and match the data to a monitored syslog device in your network.

  5. Repeat steps 3 and 4 in this section to match additional facilities with log data to a monitored syslog device in your network.
Syslog Facility Log File Path
local0 /var/log/local0.log
local1 /var/log/local1.log
local2 /var/log/local2.log
local3 /var/log/local3.log
local4 /var/log/local4.log
local5 /var/log/local5.log
local6 /var/log/local6.log
local7 /var/log/local7.log