Windows agent not communicating with EventLog Analyzer server

Windows agent not communicating with EventLog Analyzer server

Issue description

When the agent fails to communicate with the EventLog Analyzer server, the log transfer between devices is disrupted. As a result, logs accumulate on the agent machine until connectivity is restored. This delay in log transmission can hinder timely log analysis, increase security risks, lead to inaccurate reporting, and prevent critical alerts from being triggered as intended.

Possible causes

  1. Port restrictions: The agent-server communication port could have been blocked in the server's firewall.
  2. Agent service startup failure: The service might not be running or could have restrictions to boot up using the current logged-in user in the agent machine.
  3. Server info updated: The IP address, hostname, protocol, or port of the server on which EventLog Analyzer is installed might have been updated without the agent being updated with this information.
  4. Server public key listed: EventLog Analyzer's agent-to-server communication will be encrypted and secured based on this specific key and it would not be listed if any incorrect configuration was set during agent installation or when restricting permissions/security settings.
  5. Antivirus blocking the backend processes: To ensure unhindered functioning of EventLog Analyzer, you need to add the product installation file location/directory to the exception list of your antivirus application.

 Prerequisites

 Make sure the following are in place before proceeding with the resolution:
  1. EventLog Analyzer agent communication ports (default: HTTP: 8400/HTTPS: 8445) are opened/enabled.
    Reference: Prerequisites 
  2. To check on the web port that EventLog Analyzer is using, please navigate to Settings > System Settings > Connection Settings > Connection type.
    Reference: Connection Settings
  3. The EventLog Analyzer agent installation file/folder need to allowlisted in your antivirus/endpoint protection software.
    Reference: Using EventLog Analyzer with an antivirus application
  4. Ensure the logged in user in the agent-installed machine has the permissions/privileges to start the service.
  5. EventLog Analyzer server details need to be updated properly in the agent configuration wizard. To learn how to proceed with the details, please click here.

Resolution

Step 1: Ensure the EventLog Analyzer agent service is up and running with the appropriate logged on user.
If yes, please proceed step 2. If not, please follow the steps below:
  • Connect to the target machine, and open Services.msc.
  • Restart the ManageEngine EventLogAnalyzer Agent service.
  • Ensure that the antivirus solution is not blocking the startup of the service. Exclude the agent installation directory completely in the Antivirus solution's scan list.
  • Check whether the logged-in user has the necessary permissions/privileges to start the service. Go to the  ManageEngine EventLogAnalyzer Agent service > Properties, and check the log on to tab to identify the account using which the service is running.
  • If EventLog Analyzer has been upgraded recently, you can view the agent installation files in the respective directory (dir: EventLogAnalyzer_agent) and cross-check whether the EventLog Analyzer agent is installed using the Programs and Features settings.

Step 2: Ensure the application web server port number for agent-server communication is allowed/opened bidirectionally on both the product-installed and agent-installed devices.
Reference: Prerequisites 
If yes, please proceed with step 3. If not, please follow the steps below:
  • To check on the port status, please go to the Resource monitor program, click the Network tab > Listening ports and ensure that the agent-to-server communication port is opened/enabled without any restrictions with the status Allowed, not restricted.
  1. You can open the ports in your local firewall on both the EventLog Analyzer-installed server and the agent-installed machine.
Ports guide: Prerequisites 

Step 3: Access the EventLog Analyzer UI from any browser in the agent-installed device by specifying the protocol, servername, and port number to verify port connectivity.
For example: http://EventLogsrv:8400 where Eventlogsrv is the hostname
If the UI is accessible, please proceed with step 4. If not, please follow the steps below:
  • Either port or network connectivity could be blocking the accessibility of the EventLog Analyzer URL from the agent-installed machine. Please validate them using PING/TRACERT commands.
  • Alternatively, try to access the EventLog Analyzer URL using FQDN or the IP address to isolate the issue, as it might be related to DNS querying.
Step 4: Review and update the Serverinfo. Open the Registry Editor in the agent-installed device. Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ZOHOCorp\EventLogAnalyzer\ServerInfo and update the EventLog Analyzer server details (ensure the server public key is listed).
 
If the server public key is listed, please proceed with the next step. If not, please enter the EventLog Analyzer server details appropriately and restart the EventLog Analyzer agent service. Refer to the Connection Settings to see the web port and protocol used by EventLog Analyzer.

Step 5: Open Programs & Features, look for the EventLog Analyzer Agent, and try to repair the software to re-enter the details. Then refresh the call passed from the agent to the server. If applicable, please restart the agent-installed server once.

Step 6: In the Agent-installed machine, go to <dir>: EventLogAnalyzer_Agent\data\zipfiles to check the log files collected on behalf of the product. Ensure that the log file zips are transferred over time.
You can also review whether the log zips are transferred successfully by viewing the SysEvtCol logs present inside <dir>: EventLogAnalyzer_Agent\logs. You can search for Transfer to view and confirm the log entry of the logs that were successfully transmitted. The image below shows an example of this.

Step 7: Go to the EventLog Analyzer> Settings > Agents and check whether the status shows success.

How to enter EventLog Analyzer server details in the agent:
  1. On the machine where the EventLog Analyzer Agent is installed, open Programs and Features and locate the EventLog Analyzer Agent in the list.
  2. Click Repair or Modify, then follow the on-screen instructions and provide the required details to reestablish the connection.
  1. Learn more about the Connection Settings here.

Tips

With EventLog Analyzer, you can opt for the agent-based log collection method under the following circumstances:
  • When your organization’s IT security policy does not allow access to WMI/DCOM communication ports on Windows devices (a Windows device could be a server, workstation, or domain controller).
  • When you want to balance the overhead load across your network.
  • For easy log collection across WANs and through firewalls.
  • For monitoring critical changes to files and folders through the File Integrity Monitoring feature.

 Related topics and articles

How to contact support

If the issue persists after following the above steps, you can contact the ManageEngine EventLog Analyzer Support Team. Share with us which steps you followed along with the respective screenshots. We might also need the product logs and agent logs for further investigation of this issue. 

Logs location:

EventLog Analyzer product logs: <dir>: ManageEngine\EventLog Analyzer\logs (please include the latest log files up to the present date)
EvemtLog Analyzer Agent logs: <dir>: EventLogAnalyzer_Agent\logs

Support Channels:
Email:
Toll-Free (US): +1 844 649 7766
Request Support Portal: Support :: EventLog Analyzer


 
 


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products