Skip to main content



Cisco Defense Orchestrator

Event Logging Troubleshooting Log Files

The Secure Event Connector (SEC) gathers all event streamer logs and compresses them in a single .tar.gz file.

Run the Troubleshooting Script

Follow this procedure to run the script:

  1. Open your VM hypervisor and start a console session for your Secure Device Connector (SDC). 
  2. Login and then switch to the root user:
[cdo@localhost ~]$sudo su root

Note: You could also switch to the sdc user but acting as root you will also receive IP tables information. The IP table information shows that the firewall is running on the device and all the firewall routes. If the firewall is blocking Secure Event Connector TCP or UDP ports, events will not show up in the Event Logging table. The IP Tables will help you determine if that is the case.

  1. At the prompt, run the troubleshoot script and specify the tenant name. This is the command syntax:
[root@localhost ~]$ /usr/local/cdo/toolkit/ --app sec --tenant CDO_[tenant_name]

Here is an example:

[root@localhost ~]$ /usr/local/cdo/toolkit/ --app sec --tenant CDO_example_tenant

In the command output, you'll see that the sec_troubleshoot file is stored in the /tmp/troubleshoot directory on your SDC. The file name follows the convention sec_troubleshoot-timestamp.tar.gz.

  1. To retrieve the file, log in as the CDO user and download it using SCP or SFTP.

Here is an example:

[root@localhost troubleshoot]# scp sec_troubleshoot-timestamp.tar.gz root@server-ip:/scp/sec_troubleshoot-timestamp.tar.gz  

Uncompress the sec_troubleshoot.tar.gz file

At the prompt, type the following:

[root@localhost ~]$ tar xvf sec_troubleshoot-timestamp.tar.gz

The log files are stored in a directory named after your tenant. These are the kinds of logs stored in the sec_troubelshoot-timestamp.tar.gz file. The iptables file is included if you gathered all the log files as the root user.