Are you seeing anything at all from that device? If you are, I'd recommend you start with a filter or nDepth search for the Tool Alias associated with the device. That will show you everything from the device, and then you'll be able to truly see what LEM is and isn't collecting/normalizing.
If you do this and you find the alert is missing or even misnamed/incomplete/etc., open a Support ticket and we'll take a closer look.
On the other hand, if LEM isn't showing anything from this device, check to make sure it's logging appropriately and that you've configured the right connector.
Here are some knowledge base articles that should help:
- SolarWinds Knowledge Base :: How can I see all traffic from a specific device in my LEM Console?
- SolarWinds Knowledge Base :: Troubleshooting Network Devices Logging to LEM
I cannot find the entry in ndepth. I just tried another VPN connect and disconnect. In Kiwi syslog, I see this message when I disconnect (sensitive info replaced by *****):
2012-06-11 13:20:52 Local2.Warning 10.10.9.1 Jun 11 2012 13:20:52: %ASA-4-113019: Group = *****, Username = *****, IP = *****, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:06m:48s, Bytes xmt: 257, Bytes rcv: 63, Reason: Lost Service
I cannot seem to find this message in LEM at all. I tried searching ndepth for provider sid ASA-4-113019. I also tried searching for the username and IP address. I see syslog messages showing the connection of the username and IP but not this disconnect message.
To clarify: Are you seeing anything from that ASA firewall in your LEM console?
Yes, I have lots of information from my firewall in LEM. All of my filters for my firewall work great except for the filter for the ASA-4-113019. I had been using this syslog message to build VPN reports in my old MARS appliance since it includes username, connected IP, bytes transferred and duration.
I'm checking with Support to see if there are any known issues with this connector, but you will likely have to open a case to do more targeted troubleshooting. If you open a ticket, please post the ticket number here and keep us posted if you come to a resolution.
I got some feedback from Support and Engineering, and they say it looks like your syslog configuration is an a nonstandard format. The connector is confused because the "Local2.Warning" is being logged before the IP address. Do you know if this has been altered at all from the default configuration?
- If you've modified the format, try changing it back to the default format.
- If you haven't modified the format, please open a Support ticket to send us a log sample so we can take a closer look.
I hope this helps. Thanks.