Viewing Device Logs

Download this manual as a PDF file

This section describes Device Logs in SL1.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Viewing Device Logs and Messages

You can view logs and messages for a device in the Investigator tab of the Device Investigator page.

The Investigator tab displays a customizable set of metrics and panels that display information about the selected device. One of those panels is the Logs panel:

Image of the Logs panel in the Device Investigator

The Logs panel displays all of the messages SL1 and the SL1 Agent, if applicable, have collected from the device. You might find it helpful to view these log entries during troubleshooting or to manually check on the status of a device.

NOTE: For more information about Log File Monitoring Policies and using the SL1 Agent to monitor device logs, see the section on Monitoring Logs Using the SL1 Agent.

The Logs panel displays the following information about each device log entry:

  • Device Name. The name of the device on which the log message was collected.
  • Date/Time. The date and time the entry was made in the log.
  • Source. The entity or process that generated the message. Options include:
  • Syslog. Entry was generated from standard system log generated by device.
  • Internal. Entry was generated by SL1.
  • Trap. Entry was generated by an SNMP trap.
  • Dynamic. Entry was generated by a Dynamic Application.
  • API. Entry was generated by another application.
  • Email. Entry was generated by an email message from a third-party application to SL1.
  • ScienceLogic Agent. Entry was generated by the SL1 Agent.
  • Severity. The color-coded severity of the event that generated the log entry, if applicable. Possible values are:
  • Critical. Indicates a condition that can seriously impair or curtail service and requires immediate attention (for example, service or system outages).
  • Major. Indicates a condition that impacts service and requires immediate investigation.
  • Minor. Indicates a condition that does not currently impair service, but the condition needs to be corrected before it becomes more severe.
  • Notice. Indicates a condition that does not affect service but about which users should be aware.
  • Healthy. Indicate that a device or condition has returned to a healthy state. Frequently, a healthy event is generated after a problem has been fixed.
  • Message. Text of the log entry.

Viewing Device Logs and Messages in the Classic SL1 User Interface

In the Device Administration panel, the Device Logs & Messages page displays all the messages SL1 and the SL1 agent, if applicable, have collected from the device. You might find it helpful to view these log entries during troubleshooting or to manually check on the status of a device.

To access the Device Logs & Messages page for a device:

  1. Go to the Device Manager page (Devices > Device Manager).
  2. In the Device Manager page, find the device for which you want to view the device logs. Select its wrench icon ().
  3. In the Device Administration panel, select the Logs tab.
  4. The Device Logs & Messages page displays the following about each log entry:
  • Date Time. The date and time the entry was made in the log.
  • Source. The entity or process that generated the message.
  • Syslog. Entry was generated from standard system log generated by device.
  • Internal. Entry was generated by SL1.
  • Trap. Entry was generated by an SNMP trap.
  • Dynamic. Entry was generated by a Dynamic Application.
  • API. Entry was generated by another application.
  • Email. Entry was generated by an email message from a third-party application to SL1.
  • ScienceLogic Agent. Entry was generated by the SL1 Agent.
  • Event ID. If an event was created, a unique event ID, generated by SL1. If the log entry is not associated with an event, no ID appears in this column.
  • Priority. If applicable, specifies the priority of the syslog message.
  • Info. An error occurred.
  • Notice. An error has not occurred. Entry denotes normal system activity.
  • N / A. Not applicable. Entry was not generated by syslog.
  • Message. Text of the log entry, color coded to match event severity (if applicable).

Viewing Events Associated with a Log Entry

From the Device Logs & Messages page you can view the event generated by each log entry. To do so:

  1. Go to the Device Manager page (Devices > Device Manager).
  2. In the Device Manager page, find the device whose log you want to view. Select its wrench icon ().
  3. In the Device Administration panel, click the Logs tab.
  4. In the Device Logs & Messages page, find the log entry you are interested in. Select its event icon ().
  5. The Viewing Events page appears for the device and displays the event associated with the selected log entry. For details on events, see the section on Events.

Creating an Event Policy from a Log Entry

From the Device Logs & Messages page, you can create a new event policy based on a log entry. If a log entry does not have an event policy already associated with it, the pencil icon () will appear next to the entry. You can click on this icon to create a new event policy. After you create an event policy, each time this log entry is generated for a device, SL1 will trigger an event in the Events page.

For devices on which the SL1 agent is installed, you can also define a Log File Monitoring policy. Log File Monitoring policies specify the log files the agent should monitor, and which lines from those log files the agent should send to the platform. You can define event policies to trigger an event based on Log File Monitoring policies.

NOTE: For more information about Log File Monitoring Policies and using the SL1 Agent to monitor device logs, see the section on Monitoring Logs Using the SL1 Agent.

To create an event policy from a log entry:

  1. Go to the Device Manager page (Devices > Device Manager).
  2. In the Device Manager page, find the device whose log you want to view. Select its wrench icon ().
  3. In the Device Administration panel, click the Logs tab.
  4. In the Device Logs & Messages page, find the log entry from which you want to create an event policy. Select its pencil icon ().
  5. The Event Policy Editor page appears, with some of the fields automatically populated with values from the selected log entry. For details on defining event policies, see the Events section.

Redirecting Log Data from One Device to Another

The Redirects tab of the Device Investigator (or the Redirect Policy Editor page in the Device Administration panel in the classic SL1 user interface) enables you to redirect log entries from one IP-based device to another IP-based device, or from an IP-based device to a virtual device.

This is perhaps most useful for devices that do not support TCP/IP. Using a redirect, SL1 can push data from a device that does not support TCP/IP to another device that does, and then collect the data from the device that does support TCP/IP.

In this scenario, you can create a virtual device in SL1 to represent the device that does not support TCP/IP. You can then move the data from the TCP/IP device that is monitored by SL1 to the virtual device in SL1. The Redirects tab of the Device Investigator (or the Redirect Policy Editor page in the Device Administration panel in the classic SL1 user interface) allows you to move data and log entries generated by inbound SNMP Trap, Syslog, or Email messages from the TCP/IP device to the virtual device. However, if you do so, be aware of the following:

  • Log entries that are redirected to a virtual device will no longer appear in the log files for the IP-based device.
  • Log entries that are redirected to a virtual device are no longer associated with the IP address of the original device.
  • Log entries with a Source of Internal, Dynamic, or API that match a redirect policy are not moved from the IP-based device to the current device.

To redirect data from one IP-based device to another IP-based device or a virtual device:

  • Go to the Redirects tab of the Device Investigator for the virtual or IP-based device to which you want to redirect data. (Alternatively, in the classic SL1 user interface, go to the Redirect Policy Editor page in the Device Administration panel. To do so, go to the Device Manager page Devices > Device Manager), find the device to which you want to direct data, click its wrench icon (), and then click the Redirects tab.)
  1. To move SNMP Trap, Syslog, or Email log messages from an IP-based device to the current device, provide values in each of the following fields:
  • Source Device. This is the TCP/IP device from which you want to redirect log messages. Data from this device will be moved to the current device. Select from a drop-down list of all IP-based devices discovered by SL1.
  • Expression Match. A regular expression used to locate the log entry to redirect. This can be any combination of alphanumeric and multi-byte characters, up to 64 characters in length. SL1's expression matching is case-sensitive. For details on the regular-expression syntax allowed by SL1, see http://www.python.org/doc/howto/ .
  • Active State. Specifies whether or not SL1 will execute the redirection policy. The choices are:
  • Enable. SL1 will execute the redirection policy.
  • Disable. SL1 will not execute the redirection policy.
  1. Click Save.
  2. You can repeat steps 2 and 3 to redirect data from more than one device or from more than one type of log message.

Viewing Logs for All Devices

The Audit Logs page (System > Monitor > Audit Logs) displays a list of all actions that have occurred on all devices.

For details on the Audit Logs page, see the System Administration section.