Documentation forSecurity Event Manager

Configure your devices to send events to SEM

After you determine the types of log files to monitor with SEM, ensure that your devices are configured to send log data to SEM.

The application does not automatically scan your environment for network devices and systems and collect and analyze log files. You must configure the identified devices and systems to send log data of interest. When you are finished, add those devices to SEM.

If you observe SEM collecting seemingly meaningless data or no data at all, do the following:

  1. Determine which logs are important for you to monitor.
  2. Verify that the targeted devices and systems are configured to send that data.

The following graphic shows a section of a sample audit policy for a workstation. If you are expecting Plug and Play events to be written to the log file and the policy is set to No Auditing, then those events are not sent to SEM.

See Integrate Cisco network devices with SolarWinds SEM for details on how to add a syslog device to SEM. See Add a syslog device to SEM for details on how to configure the corresponding connector.

For additional guidance, see your vendor documentation or contact SolarWinds Technical Support.

See Audit Policies and Best Practices for SEM for more information on Windows audit policies.

About syslog local facilities

When you configure the events and logging level on a syslog device, you may have the option to specify the local facility that receives the log data. While all syslog devices have default facilities defined for logs, the option to specify the local facility depends on the device.

Check with the device vendor for details on how to configure your network device. Note the local facility, as you will need it when you configure a connector to read the applicable syslog file. If you are not sure which local facility is receiving log data, check your device.

See Understanding syslog in SEM for more information on configuring your syslog device to send log data to SEM.