3 Replies Latest reply on Mar 26, 2015 9:16 PM by joelyue

    LEM Syslog Question

    rbmadison

      I'm a SolarWinds LEM newbie but really like it. I am trying to connect our AudioCodes Mediant 1000 syslog to our LEM and it keeps telling me no nodes found. I can't find the device in the list so I was hoping it would just pick a generic one. How do I get the LEM to accept syslog from the AudioCodes Mediant 1000 device? I don't need any active monitoring of the syslog, just a way to search it through LEM. I really appreciate any help anyone can give me.

        • Re: LEM Syslog Question
          joelyue

          Hi,

          first you must know which syslog facility you are using to send the syslog events over to LEM.

          Ensure that this facility is not used by other applications sending syslog events to LEM to ensure no overlapping of logs found.

          Then under appliance > connector. Create a connector meant for AudioCodes Mediant 1000.

          Under logfile: input "/var/log/localX.log" where localX is the syslog facility used by AudioCodes to send syslog to LEM.

          Under output: select Alert and nDepth.

           

          If LEM does not have a correct connector type, use any connector that uses syslog or log a case and get support to create an appropriate connector.

           

          Once properly setup and node is detected, you can view/query raw syslog messages under nDepth and change the slider (beside the > last 10min button) to Log Messages instead of Alerts.

          • Re: LEM Syslog Question
            curtisi

            There's a little more configuration that has to happen, so as an addendum to what joelyue posted:

             

            You'll need to configure the LEM to have something to do with the raw logs.  Those directions are here: SolarWinds Knowledge Base :: Configuring Your LEM Appliance for Log Message Storage and nDepth Search

             

            WARNING: This will impact the retention span of your LEM.

             

            If you're using a random syslog connector, having it try to generate Alert data from the syslogs will just fill the LEM with errors and "InternalNewToolData" events.  If all you want is raw logs, just pick "nDepth" for the output.

             

            Raw data doesn't show up in Reports, can't be used to trigger rules and won't appear in Filters.