• Log Forwarding is not configured: Appears immediately after manually adding a device, indicating no log packets have been received yet.
• Device not reachable: Device does not respond to ping from the EventLog Analyzer server (logs may still flow in some cases).
• Logs not forwarded: No logs received for more than 24 hours; this status clears automatically when logs resume.
• Agent down / Log collector down: The log collector service is unavailable; syslog and Windows log collection may be impacted (agent-based collection may continue).

Possible causes  

• Syslog misconfiguration: Log forwarding is not enabled or misconfigured on the device/application.
• EventLog Analyzer server IP/hostname change: Device not updated to send logs to the current server address.
• Port mismatch or restriction: Device forwarding logs to a different port or port is blocked. (Default: TCP 514; UDP 513, 514). Refer Listener Port settings to view/configure the port listened by EventLog Analyzer.
• Network restrictions — Firewalls, ACLs, NAT, or routing issues blocking syslog packets..
• Log Collection Filter - Filters in EventLog Analyzer may be unintentionally excluding logs.
• Timezone/date mismatch - Difference is date/time between syslog source and EventLog Analyzer server.
• Log collector down: The syslog collector (SysEvtCol) is not running.
• CachedRecords backlog: Unprocessed logs accumulated at <Installation Directory>/EventLog Analyzer/ES/CachedRecord.
• Incorrect source type — Windows-hosted apps forwarding syslog should be added as Syslog Application (not as Device).

Prerequisites  

1. Syslog forwarding enabled on the device/application (refer to vendor documentation for correct setup).
2. Access to EventLog Analyzer server and User Interface as administrator.
3. Access to the respective syslog source and knowledge about the source.
4. Knowledge of source type:

• Physical network device → add as Syslog Device (consumes Device license)
• Application hosted on Windows → add as Syslog Application (consumes Application license)

5. Supported formats: Log Sources has to forward the logs in the standard formats(BSD Syslog Protocol): RFC 5424, RFC 3164, or CEF.
6. Communication from Unix/Linux device to EventLog Analyzer.
• The syslog packets will be forwarded from Syslog source to EventLog Analyzer server.
• The port syslog forwarder port has to be allowed in such way the traffic reached application in source(outbound), intermediate devices/application(security application/network level firewall/proxy) and destination(inbound).
7. Verify listener readiness

• Choose Log Receiver(top right corner) → Server Details → the port shows Listening
• Or Listener Port Settings reflects the correct protocol/port and is not occupied.

The port is flagged Listening when available for use and not already bound by another process/service.

Resolution steps  

• If all (or most) devices impacted, including Windows sources proceed with Scenario 1: All devices.
• If only specific syslog device(s) impacted, proceed with Scenario 2: Specific device(s).

Scenario 1 — All devices affected   

• Navigate to <InstallDir>/EventLog Analyzer/ES/CachedRecord.
• Note the file count. If it keeps increasing, your server may be under-provisioned or the pipeline is stalled.
• Ensure the EventLog Analyzer server is configured as per recommended System Requirements.
• If backlog keeps rising, Refer CachedRecord Troubleshooting 

• If logs are not collected from all types (except agent-installed machines and few applications for which logs are imported), the Log Collector may be down.
• Check the Log Collector(SysEvtCol) service status; then refer to the Log Collector Troubleshooting KB (see Related).

• Navigate to Settings >> System Settings → Listener Port Settings

• Validate the configured UDP/TCP ports match what devices are sending to.
• Confirm Log Receiver → Server Details shows Listening.

• OS-level port availability check:

1. Open Server Manager → Tools → Windows Defender Firewall with Advanced Security.
2. Go to Inbound Rules.
3. Look for a rule that allows the specific port (check Local Port column).

• If the port is used by another process, either stop the conflicting process or change the listener port in Listener Port settings and update devices accordingly.

• Ensure perimeter/segment firewall rules allow syslog traffic to the EventLog Analyzer server IP and port.
• If using NAT or load balancer, confirm the mapping to the correct internal IP/port.
• Check that the server's bind IP in Connection Settings matches the network configuration.

Scenario 2 — Specific syslog device(s)  

• Choose Log Receiver(top right corner) → Live View (or Server Details panel).
• Check if incoming packets from the specific device/IP are visible.
• You can also test the packets using any third party packet capture tool.
•  

1. Host firewall / security software

• Check if the port is not restricted in Local host Firewall as per OS-level port availability check:

1. Open Server Manager → Tools → Windows Defender Firewall with Advanced Security.
2. Go to Inbound Rules.
3. Look for a rule that allows the specific port (check Local Port column).

• If the port is used by another process, either stop the conflicting process or change the listener port in Listener Port settings and update devices accordingly.

2. Internal security controls

• Review NAC/IDS/IPS policies; ensure traffic on the syslog ports is not dropped post-arrival (e.g., local endpoint policy).

3. Duplicate category check

• Settings → Log Source Configuration: ensure the device isn’t unintentionally added under another category that intercepts/changes handling.

4. Log Collection Filter

• Navigate to Settings >> Admin → Log Collection Filter: Verify no filter is excluding the device, its facility, severity, or message patterns.
• If a filter exists that should not apply, disable or adjust it.

5. Timezone & date alignment

• Mismatched device timezones can push events outside your viewing/reporting window.
• Check if the logs source is logging events in current date and note down the time. If you notice the timezone difference between EventLog Analyzer server and Log source, follow the below steps to update in EventLog Analyzer.
• Navigate to Settings → Log Source Configuration  → Devices → Syslog device.
• Place the cursor on top of device name and select Update device icon.
• Choose Advanced and select the appropriate Timezone to match the device timezone.

6. Parsing vs. Search

• If logs appear in Search but not in Reports, this indicates a parser mismatch.
• See Log Parsing KB (Related) for enabling a compatible parser or creating a custom one.

1. External packet capture

• Temporarily use any packet capture tool on the EventLog Analyzer server to watch the syslog ports.
• If packets appear in the capture but not in Log Receiver, revisit Scenario 1 → 1.3 (port conflict/bind).

2. Network path

• Validate L3/L4 connectivity from device to server (firewall, routes, ACLs, NAT, VLAN).
• If your device can test, send a test syslog to server:port and verify arrival.

3. Binded IP address

• Navigate to Settings >> System Settings→ Connection Settings: Check the bound interface/IP.
• Set to the specific server IP or All interfaces, then Save  Settings.

NOTE: Changing the Bind Address needs application restart. Restart EventLog Analyzer service once to take effect.

• Verify the change under Log Receiver → Server Details.

4. Port/protocol alignment

• Ensure the log source forwards logs via the same protocol and port that EventLog Analyzer is listening on (e.g., UDP 514 vs. TCP 514).

5. Device configuration

• Re-validate syslog target IP/hostname, port, and format (RFC 5424/3164 or CEF).
• If the sender is a Windows-hosted application, ensure it’s added as Syslog Application (not Device).

Validation and testing  

1. Live view: EventLog Analyzer → Log Receiver(Live Syslog Viewer) — confirm real-time messages appear.
2. Raw logs: Search Tab → filter by source device/IP → set appropriate date range (consider timezone).
3. Device status: Verify status is active and logs are being collected.
4. Parsing: Confirm events are categorized (facility/severity/event type).

• If built-in parsing seems incorrect(Example: Source IP address parsed as port number or username), contact Support.
• For additional fields, refer Custom Log parsing to extract required fields.

5. Usability: Generate a predefined report or set an alert to ensure logs support analytics/real-time use.

Tips

• Ensure correct DNS resolution for both device-to-server and server-to-device hostnames.
• Prefer UDP for high-volume syslog unless message reliability is critical.
• Use the Live Syslog Viewer during onboarding or when troubleshooting to verify log flow before scaling.

Related topics and articles  

• Log Collector down — Troubleshooting
• How to create custom Log Parser Rules
• How to add and configure Syslog Devices
• Syslog collection in EventLog Analyzer
• Syslog Device Status - "Logs Not Forwarded"
•  Listener Port settings
•  Log Collection Filter

How to reach support  

• EventLog Analyzer Build number and Product version
• Screenshots of device syslog settings and Listener/Connection Settings
• Log source details: type/make, on-prem or cloud, OS version, physical device or Windows-hosted application
• Sample raw logs, if available
• CachedRecord file count (if backlog observed) and a short timeline of the issue