Log import failure during remote log collection in EventLog Analyzer

Log import failure during remote log collection in EventLog Analyzer

Issue description

EventLog Analyzer will display an error notification in the UI stating that the log import for selected files has failed.
This issue will happen when EventLog Analyzer is unable to import a file during the scheduled log import activity.

Prerequisites 

  • Make sure there is proper connectivity between EventLog Analyzer and the target device where the log file is located.
  • For the SMB protocol (Windows), it is required to have connectivity over port 137, 138, 139, or 445 between the EventLog Analyzer server and the target location.
  • For SFTP- or FTP-based log import configurations, it is necessary to ensure connectivity over the concerned protocol being used by the target Linux or Unix machine for the file transfer service. (The default port number is 20 or 21.)
  • The account configured should be in an enabled state and also must have read access to the file being imported.
  • If the account had a recent password change, try updating to the correct credentials.
  • The file should exist in the location specified in the log import section.

Possible causes

  • There is a connectivity issue between the EventLog Analyzer server and the target Windows or Linux or Unix machine.
  • SMB-based log import requires ports 137, 138, 139 and 445, while SFTP-based log import requires the specific port that the SFTP server or SSH daemon runs on. (By default, ports 20, 21, and 22 are used for SFTP connections.)
  • There are insufficient access permissions for the account used. (Read-level access to the concerned log files to be imported is required.)

Resolution steps

  • If you notice a log import activity is failing, navigate to the Settings tab > Log Source Configuration > Import Logs
  • Under the Import Logs section, locate the log file that is currently experiencing an import issue.
  • After locating the file, note down the following details:
    • Hostname or IP address of the remote device
  • Username used for the log import
    • To get the username value, click the Update button next to the name of the log file.
 
 
Once you have gathered the details, validate the various factors involved in the process.
1. Connectivity between the EventLog Analyzer server and the remote device
    • Open a PowerShell window within the EventLog Analyzer server and execute the command below.
      • tnc <hostname/IP address of Remote server> -p <port number of the remote server file service protocol>
      • For the Windows SMB protocol, use port numbers 137, 138, 139, and 445.
      • For SFTP or FTP, the default ports are 20 and 21; however, a user-defined port can be used depending on the SFTP service configuration.
    • If the connectivity test fails:
      • Verify the remote device is up and running.
      • Make sure there aren't any network- or OS-level firewall restrictions preventing connectivity over the ports specified.
    • If the connectivity test succeeds, proceed with verifying with the native methods of importing log files.
      • Windows SMB protocol:
      • Open a Command Prompt window within the EventLog Analyzer server and run the command given below.
      • net use Z: \\remote-server\share /user:domain\username password
      • Replace remote-server with the IP or hostname of the remote server where the log file is located.
      • Replace domain\username with the actual name of the domain and the user account (for example, zylker\testuser1).
      • For password, enter the password of the user account.
      • net use r: \\192.168.2.1\logs /user:me\smbuser1 Password@123
      • This command will then create a network-mapped drive within the EventLog Analyzer server.
      • Open File Explorer and check if you can access the file within the network-mapped drive.
Example command:
 
 
 
2. In case of issues with authentication or if permission is denied, check the following factors:
  1. Make sure the user account is not locked out or disabled.
  2. Check whether the user account has read access to the file within the share.
 
  1. If you have checked all the steps above, ensure that the file physically exists in the location within the remote server.
  • Unix- or Linux-based FTP or SFTP protocols:
  • Download and install any-third party SFTP client application, such as WinSCP, on the EventLog Analyzer server.
  • Open the SFTP client, try connecting to the remote SFTP server, and check if it succeeds or not. 
  • If authentication fails, it could be due to reasons such as:
    • The user account's password is incorrect.
    • The user may not have permission to log in remotely using SSH. (Check the SSH daemon configuration of the specific Linux device).
    • The user may not have access to the specific folder or file.
      • In this case, provide read access to the user and try again.
    • Check whether the file physically exists on the machine or not.
 

Related topics and articles

  1. Import log files

How to contact support

If you were able to successfully connect to the remote device and access the concerned log file through native methods described above and are still unable to fix the log import issue in EventLog Analyzer, please reach out to the EventLog Analyzer support team for further assistance.

Support Channels:


                  New to ADSelfService Plus?

                    • Related Articles

                    • How to get notified about EventLog Analyzer's log collector failure

                      Objective EventLog Analyzer can send email alerts when the internal log collector service (SysEvtCol) crashes or stops unexpectedly. This alert helps administrators detect disruptions in core log ingestion and take immediate corrective action to ...
                    • How to import logs in EventLog Analyzer from S3 bucket

                      Objective Some applications might record logs in the file system so that the user can import the logs in EventLog Analyzer. This can happen when the logs are located in Local file system of the EventLog Analyzer instance where the shared path is the ...
                    • Enabling historic log collection in EventLog Analyzer

                      EventLog Analyzer collects all the logs present in the Windows Event Viewer (i.e., Windows Logs > Application, Security, System) when the historic log collection option is enabled. To enable historic log collection, follow the steps below: Navigate ...
                    • Unable to start EventLog Analyzer

                      Issue description This issue occurs when the EventLog Analyzer service fails to start, or when users are unable to access the web client through the browser (typically on ports 8400 or 8445). Users may experience one or more of the following ...
                    • How to import logs in EventLog Analyzer from a local path

                      Objective A user can import application logs in EventLog Analyzer when the logs are located in the local file system of the EventLog Analyzer instance, shared path of Windows OS and Linux OS, or S3 bucket. Learn how to import logs in EventLog ...