Issue description

1. Device down: The device is disconnected from the network or turned down or off.
2. Network restriction: There was a change to the network settings, which might have blocked the traffic of incoming logs on the server and the outgoing ping requests.
3. Syslog misconfiguration: Changes performed on the syslog configuration can cause issues.
4. Listener port changes: Changes performed on the listener ports of EventLog Analyzer can cause problems.
5. Firewall and security application restriction: Restrictions added in the local firewall or security applications in EventLog Analyzer might block the traffic.
   
6. Mismatch in device date and timezone: The device's last message time will be updated based on the timezone recorded in the application. A mismatch and error can occur if the device date and timezone varies, the last message received from the EventLog Analyzer service is more than 24 hours, or if the device is not reachable from EventLog Analyzer. 
   

Prerequisites

1. Access to the EventLog Analyzer interface.
   
2. Administrative access to the EventLog Analyzer host server.
   
3. Check if the syslog service is configured as per the device vendor recommendation to forward the logs in the format below. 
   

RFC 5424, RFC 3164 or CEF

1. Verify if EventLog Analyzer is listening on the ports to which syslog packets are being sent. Check if the status is marked as "listening" in Log Receiver >> Server Details (Refer to the image below) or in Listener Port Settings.
   
   

Resolution

Case 1: Log packets listed in Log Receiver.
Case 2: Log packets are not listed in Log Receiver.

Case 1:  Log packets listed in Log Receiver

Step 1: Check if there are any local firewall or security applications that might block the traffic to reach the EventLog Analyzer application.

Windows: This can be checked in Resource monitor >> Network >> Listener port (Refer to the image below)
 

Review the local firewall to allow the port to have the firewall status as "Allowed, not restricted" for SysEvtCol.exe process.

Linux: 
Enter this command in the command prompt: netstat -ano | grep 514

Ensure that the displayed process ID (PID) matches SysEvtCol.exe.

Check and create inbound rules in Windows Firewall to allow the traffic over the syslog incoming ports.

Step 2: If you have enabled any specific traffic rule in your internal security application, kindly review network access control policies to allow traffic for the syslog ports.

Step 3: Ensure that the device is not added to any other category in Settings >> Log source configuration.
Once the log packet is collected by the application, the device will be auto added or resume the log collection.

 Case 2: Log packets are not listed in Log Receiver. 

 This that either the log packet has not reached EventLog Analyzer server, or the packet is not read by Log Receiver.

Step 1: Check if there are any changes in syslog configuration and if logs are forwarded to EventLog Analyzer server. You can try installing any packet capture tool to review the incoming packets.
Step 2: Review the network setup to ensure that the traffic is allowed through the network firewall to reach the EventLog Analyzer server over the designated ports.
Step 3: Test the connection to EventLog Analyzer server from the syslog device end over the syslog port.
Step 4: Check the Bind Address and set the respective IP address or all interfaces to have the log collector being able to listen over the connection. This can be updated in Connection Settings 

The updated information will be listed in Log receiver >> Server details.

Tips

• Configure the log collection failure alert to ensure you are notified if the logs are not collected.

• Schedule routine checks to detect device availability.

• Enable Ping within the internal network to monitor device availability and reachability for seamless log collection.