No data from Syslog devices | Online help - EventLog Analyzer

No data from Syslog devices

No data from Syslog devices 

  1. Ensure that the Syslog device is configured to forward the logs to EventLog Analyzer Server. Click here to know more about Syslog configuration in the respective devices.

  2. In both Hardware and Software Firewall, ensure that the ports for log forwarding are opened.

 

Note: The default ports are UDP 513, UDP 514, and TCP 514. If the customer is forwarding the logs to a different port, open the EventLog Analyzer GUI ⇾ Settings tab ⇾ System Settings ⇾ Listener Ports ⇾ Add and enable the required port.

 

  1. Click on "Log Receiver" at the right-top corner and check whether the forwarded log packets are displayed.

  2. If the log packets are displayed in "Log Receiver":

    1. Go to the "Search" tab and search for logs by picking that specific device and leaving the type as "All Log Types".

    2. If the search result returns the logs but as a different log source, go to the Settings tab Configuration ManageDevices Syslog devices ⇾ click on "update" next to the device ⇾ change the device type accordingly.

    3. If search does not return anything, open command prompt and execute netstat -ano | findstr 514 (or the desired port number). This will display which PID is using the port. Then, open Task Manager ⇾ go to "Details" tab ⇾ ensure that SysEvtCol.exe process is using the port. If not, inform the customer about the process that is blocking the usage of the port.

  3. If the log packets are not displayed in the "Log Receiver":

    1. Install Wireshark or any packet capturing software in the EventLog Analyzer Server and collect the output of the log traces.

    2. After confirming the packet reception, open the EventLog Analyzer GUI ⇾ Settings tab ⇾ System Settings ⇾ Log Level Settings ⇾ change the log level settings value to 3 ⇾ click on "Save". After 15 minutes, change it back to 2.

Finally, compress the logs folder <dir>:\ManageEngine\EventLog Analyzer\logs for further analysis.

                  New to ADSelfService Plus?

                    • Related Articles

                    • Changing the location of Elasticsearch index data

                      Follow the steps below to move the log indices to a different location: Stop the EventLog Analyzer service. Open the command prompt with admin privileges. Navigate to <dir>:\ManageEngine\elasticsearch\ES\bin and execute stopES.bat. Make a backup of ...
                    • What to do if the EventLog Analyzer failed to update the IP's geolocation data due to network issue?

                      This occurs when there is no internet connection on the EventLog Analyzer server or if the creator server is unreachable. Domains/sites to be whitelisted: https://creator.zoho.com https://creatorexport.zoho.com The geolocation feature is used by ...
                    • How to restore a backed up instance on a different server?

                      1. Copy the entire <EventLog Analyzer Home> directory to the new server. It is highly recommended that the new location be the same as the older one. Eg: If the product was installed on an old server in C:\ManageEngine\EventLog, please make sure you ...
                    • Why are some SQL Server reports showing no data?

                      Case 1: Are the required audit policies configured? Open SQL Server Management Studio application in the Windows machine in which SQL Server is installed, and connect to the required instance. Click the Security option. The Server Audit ...
                    • Log collection failure alerts

                      Device down alert: When configured devices don't respond to pings from EventLog Analyzer, it implies either of the following: The selected Syslog devices are not sending logs to EventLog Analyzer. EventLog Analyzer has not collected logs from the ...