• State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 22 subscribers
  • Views 247 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Info logging vs Warning

barrycuda72

Pardon me if my question has been answered but I could not find it.

I have some questions about what gets logged into the LEM

For example:  I have a Cisco VPN appliance that sends all of its syslog information to a Kiwi server.

I installed the LEM agent and configured the connector to look at the correct log file.

In the log file I will see a bunch of information that says  Local4.Info  but it will never show in LEM, if however there is a Local4.Warning then it will appear.

Is this by design?  What if I wanted to use this for auditing a users activity across the network those are just informational messages.

  • 0

    Ideally, network devices like a router, firewall or VPN appliance should forward their syslog directly to LEM. However, before doing so, you'll want to make sure that LEM has a connector built for said device. In our case, we have an Cisco ASA as our VPN appliance and so we use the Cisco PIX and IOS connector. Hope that helps!

  • 0

    In our experience, it depends on the connector.

    For example, the Windows Application connector has a "catch-all" pattern at the end which is designed to pick up events for which there aren't (currently) more specific patterns. But that "catch-all" pattern is only designed to pick up Error and Warning events, not Information. Some of the more specific patterns in the connector may detect Info events, but the generic "catch-all" is not designed for that.

    So depending on how the connector you're using was designed, it may not be built to take in every message, but to focus on what are deemed to be the most important ones (i.e. those with higher severities). I can't say for sure, but my guess would be that that is to avoid potentially overwhelming the LEM server with events which generally are not the most critical.

  • 0

    That makes sense about the connector.  Some devices I found were sending me almost everything like the Cisco ASA but a Cisco Switch would only send me events with higher severity.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.