Network device status shows 'Device not Reachable'

Network device status shows 'Device not Reachable'

Issue description

A network device in EventLog Analyzer will display the status "Device not Reachable" if the last message received by the EventLog Analyzer server from the device is greater than 24 hours. This message will display in the log sources section of EventLog Analyzer. This article provides details about this status and how to resolve it.

Possible causes

Syslog device logs are not collected for a period of time and cannot be reached using the ping command from EventLog Analyzer server. Here are some possible reasons.
  1. Device down: The device is disconnected from the network or turned down or off.
  2. Network restriction: There was a change to the network settings, which might have blocked the traffic of incoming logs on the server and the outgoing ping requests.
  3. Syslog misconfiguration: Changes performed on the syslog configuration can cause issues.
  4. Listener port changes: Changes performed on the listener ports of EventLog Analyzer can cause problems.
  5. Firewall and security application restriction: Restrictions added in the local firewall or security applications in EventLog Analyzer might block the traffic.
  6. Mismatch in device date and timezone: The device's last message time will be updated based on the timezone recorded in the application. A mismatch and error can occur if the device date and timezone varies, the last message received from the EventLog Analyzer service is more than 24 hours, or if the device is not reachable from EventLog Analyzer. 

Prerequisites

  1. Access to the EventLog Analyzer interface.
  2. Administrative access to the EventLog Analyzer host server.
  3. Check if the syslog service is configured as per the device vendor recommendation to forward the logs in the format below. 
RFC 5424, RFC 3164 or CEF
  1. Verify if EventLog Analyzer is listening on the ports to which syslog packets are being sent. Check if the status is marked as "listening" in Log Receiver >> Server Details (Refer to the image below) or in Listener Port Settings.

Resolution

Step 1: Check if the target device is up and actively recording the logs as per the current date. events recorded in the target device and note if the difference between the timezone of the target device and the EventLog Analyzer server is less than 24 hours. If the date of the target device is greater than 24 hours, it should be reset to the current time.

Step 2: If the timezone of syslog device and EventLog Analyzer server varies, update the time zone of syslog device in Settings >> Log Source Configuration >> Devices >> Syslog Devices. Hover over the device to click on the '✎' icon. In the Update Device pop-up, click on Advanced >> Timezone to select the timezone. (Refer to the image below)

Step 3: Check if the firewall blocks ping requests from the EventLog Analyzer server to the target device, and rectify the firewall settings or any network restrictions that prevent ping requests internally.
Step 4: The status will be updated to "Listening for logs" automatically once a log is collected from the respective source.
Step 2: If the logs are not collected in EventLog Analyzer, check if the logs are received in Log Receiver, the built-in packet capture tool.

Case 1: Log packets listed in Log Receiver.
Case 2: Log packets are not listed in Log Receiver.

Case 1:  Log packets listed in Log Receiver


Step 1: Check if there are any local firewall or security applications that might block the traffic to reach the EventLog Analyzer application.

Windows: This can be checked in Resource monitor >> Network >> Listener port (Refer to the image below)
 

Review the local firewall to allow the port to have the firewall status as "Allowed, not restricted" for SysEvtCol.exe process.

Linux: 
Enter this command in the command prompt: netstat -ano | grep 514

Ensure that the displayed process ID (PID) matches SysEvtCol.exe.

Check and create inbound rules in Windows Firewall to allow the traffic over the syslog incoming ports.

Step 2: If you have enabled any specific traffic rule in your internal security application, kindly review network access control policies to allow traffic for the syslog ports.

Step 3: Ensure that the device is not added to any other category in Settings >> Log source configuration.
Once the log packet is collected by the application, the device will be auto added or resume the log collection.

 Case 2: Log packets are not listed in Log Receiver. 

 This that either the log packet has not reached EventLog Analyzer server, or the packet is not read by Log Receiver.
Step 1: Check if there are any changes in syslog configuration and if logs are forwarded to EventLog Analyzer server. You can try installing any packet capture tool to review the incoming packets.
Step 2: Review the network setup to ensure that the traffic is allowed through the network firewall to reach the EventLog Analyzer server over the designated ports.
Step 3: Test the connection to EventLog Analyzer server from the syslog device end over the syslog port.
Step 4: Check the Bind Address and set the respective IP address or all interfaces to have the log collector being able to listen over the connection. This can be updated in Connection Settings 

The updated information will be listed in Log receiver >> Server details.

Tips

  • Configure the log collection failure alert to ensure you are notified if the logs are not collected.

  • Schedule routine checks to detect device availability.

  • Enable Ping within the internal network to monitor device availability and reachability for seamless log collection.

 


 


                  New to ADSelfService Plus?

                    • Related Articles

                    • Windows device status: RPC server is unavailable

                      The RPC server is unavailable error will be displayed in the device status field if there isn’t any communication between the EventLog Analyzer server and the respective machine from which the logs should be collected. This lack of communication ...
                    • What to do if the IIS Site status shows "Failed"?

                      Troubleshooting: Open the server out log file and search for the exception following the line "New Import File Arrived". a. Exception: "File not found" Probable cause(s) and troubleshooting step(s): Log file was not created for the particular day. ...
                    • Windows device status: Access denied

                      The Access denied error indicates that the user account dedicated for log collection does not have the necessary access and permissions to collect logs from the respective devices. There are two approaches to fixing the error: Using a domain admin ...
                    • How to use a Device Group in EventLog Analyzer to update credentials for Windows devices

                      Objective This article offers detailed information on how to use a Device Group in EventLog Analyzer to update credentials for Windows log sources. Prerequisites You'll need administrator access to EventLog Analyzer. Steps to follow Step 1: Log in to ...
                    • How to use a Device Group in EventLog Analyzer to update the Monitoring Interval

                      Objective This article offers detailed information on how to use a Device Group in EventLog Analyzer to update the Monitoring Interval for Windows log sources. Prerequisites You'll need the administrator role or manage device group role for the ...