3 Replies Latest reply on May 6, 2015 11:23 AM by barrycuda72

    Info logging vs Warning

    barrycuda72

      Pardon me if my question has been answered but I could not find it.

      I have some questions about what gets logged into the LEM

      For example:  I have a Cisco VPN appliance that sends all of its syslog information to a Kiwi server.

      I installed the LEM agent and configured the connector to look at the correct log file.

      In the log file I will see a bunch of information that says  Local4.Info  but it will never show in LEM, if however there is a Local4.Warning then it will appear.

      Is this by design?  What if I wanted to use this for auditing a users activity across the network those are just informational messages.

        • Re: Info logging vs Warning
          qle

          Ideally, network devices like a router, firewall or VPN appliance should forward their syslog directly to LEM. However, before doing so, you'll want to make sure that LEM has a connector built for said device. In our case, we have an Cisco ASA as our VPN appliance and so we use the Cisco PIX and IOS connector. Hope that helps!

          • Re: Info logging vs Warning
            mcsalchemy

            In our experience, it depends on the connector.

             

            For example, the Windows Application connector has a "catch-all" pattern at the end which is designed to pick up events for which there aren't (currently) more specific patterns. But that "catch-all" pattern is only designed to pick up Error and Warning events, not Information. Some of the more specific patterns in the connector may detect Info events, but the generic "catch-all" is not designed for that.

             

            So depending on how the connector you're using was designed, it may not be built to take in every message, but to focus on what are deemed to be the most important ones (i.e. those with higher severities). I can't say for sure, but my guess would be that that is to avoid potentially overwhelming the LEM server with events which generally are not the most critical.

            • Re: Info logging vs Warning
              barrycuda72

              That makes sense about the connector.  Some devices I found were sending me almost everything like the Cisco ASA but a Cisco Switch would only send me events with higher severity.