    Sending Isilon Logs to LEM's Local Facility


      Using tcpdump we were able to see that traffic was leaving the Isilon.  On the LEM appliance, I went to add a node, and it did not find any log entries for that Isilon IP, and was therefore unable to create a node. 

      Worked with a rep about getting the Syslogs to go to local facility 0 but when going to the checklogs on the appliance it remains empty. Did investigation with Snort and wireshark and the logs are making it to the lem appliance but never making it to Local Facility 0. The config file on the Isilon by the way is setup to send the logs to Local Facility 0.

      Does anyone possibly have suggestions.

          • If you setup something like the Kiwi Syslog server and point the device to that IP, do you see data coming into Kiwi?
          • On the Isilon device, are you sending to a hostname or an IP?
            • If hostname, can you confirm that DNS is working?
            • If IP, is it reachable from the Isilon?
          • Checking the connectors available in LEM, I don't see anything that matches Isilon.  It may be that a connector is needed (in which case Kiwi can capture sample data)
          • How chatty are the Isilon devices?  Is it possible that there just hasn't been that much syslog data, or enough for the LEM to notice?
            • Can you bump the log level on the Isilon device to make it generate more traffic temporarily and see if the LEM finds it?
          • Does CHECKLOGS still show local0 as empty?