Documentation forSecurity Event Manager

Verify that events are being sent to SEM

After you configure your device to send events to SEM, use the check logs tool to verify that SEM is receiving the data. You can access the SEM command line via VMware® vSphere® or Microsoft HyperV® Manager virtualization consoles. You can also use an SSH tool to verify that the raw syslog data is received by the SEM syslog server.

Raw syslog data is not yet parsed or normalized by SEM.

The following example shows how to use PuTTY to verify that SEM is receiving events.

  1. Open an SSH tool (such as PuTTY).
  2. Enter the IP address and port number (port 22) of the SEM virtual appliance.
  3. Log in with username cmc.

    If you are using an evaluation copy of SEM, enter password as the password.

  4. Open the appliance menu and run the checklogs command.
  5. Determine which local facilities are receiving traffic.

    In the following example, local facility 4 has received 972 kilobytes of traffic while all other facilities are empty.

  6. Open the local facility to determine if it is receiving the logs you are expecting.

    In this example, local facility 4 is receiving traffic from the Cisco ASA firewall that was configured to send logs.

If you are not seeing the log data that you expect to see: