Help Document

Troubleshooting tips

Configuration

  1. While adding device for monitoring, the 'Verify Login' action throws RPC server unavailable error
  2. While adding device for monitoring, the 'Verify Login' action throws 'Access Denied' error.
  3. When WBEM test is carried out. it fails and shows error message with code 80041010 in Windows Server 2003.
  4. Port management error codes
  5. The event source file(s) configuration throws the "Unable to discover files" error.
  6. Microsoft 365 - Unified Audit Log must be enabled to fetch data
  7. Microsoft 365 - Invalid Application Password.
  8. Microsoft 365 - Missing Azure AD application.
  9. Microsoft 365 - Missing Azure AD application scope or permission.

Log Collection and Reporting

  1. I've added a device, but Log360 Cloud Agent is not collecting event logs from it
  2. I get an Access Denied error for a device when I click on "Verify Login" but I have given the correct login credentials
  3. The Syslog host is not added automatically to Log360 Cloud Agent/the Syslog reception has suddenly stopped
  4. Agent upgrade failed. What should I do?
  5. Autolog forwarding failed. What should I do?
  6. The installed agent is not able to confirm authentication due to a missing Root CA certificate (Curl 60). How can I fix it?

Configuration

1. While adding device for monitoring, the 'Verify Login' action throws RPC server unavailable error

The probable reason and the remedial action is:

Probable cause: The device machine RPC (Remote Procedure Call) port is blocked by any other Firewall.

Solution: Unblock the RPC ports in the Firewall.

2. While adding device for monitoring, the 'Verify Login' action throws 'Access Denied' error.

The probable reasons and the remedial actions are:

Probable cause: The device machine is not reachable from Log360 Cloud Agent machine.

Solution: Check the network connectivity between device machine and Log360 Cloud Agent machine, by using PING command.

Probable cause: The device machine running a System Firewall and REMOTEADMIN service is disabled.

Solution: Check whether System Firewall is running in the device. If System Firewall is running, execute the following command in the command prompt window of the device machine:

netsh firewall set service type=REMOTEADMIN mode=ENABLE profile=all

3. When WBEM test is carried out. it fails and shows error message with code 80041010 in Windows Server 2003.

The probable reasons and the remedial actions are:

Probable cause: By default, WMI component is not installed in Windows 2003 Server

Solution: Win32_Product class is not installed by default on Windows Server 2003. To add the class, follow the procedure given below:

  • In Add or Remove Programs, click Add/Remove Windows Components.
  • In the Windows Components Wizard, select Management and Monitoring Tools, then click Details.
  • In the Management and Monitoring Tools dialog box, select WMI Windows Installer Provider and then click OK.
  • Click Next.

4. Port management error codes

The following are some of the common errors, its causes, and the possible solution to resolve the condition. Feel free to contact our support team for any information.

Port already used by some other application

Cause: Cannot use the specified port because it is already used by some other application.

Solution: This can be solved either by changing the port in the specified application or by using a new port.

If you use a new port, make sure to change the ports in the forwarding device either manually or using auto log forwarding configuration.

5. The event source file(s) configuration throws the "Unable to discover files" error.

Possible remedial actions include:

  • Check the credentials of the machine.
  • Check the connectivity of the device.
  • Ensure that the remote registry service is not disabled.
  • The user should have admin privileges.
  • The open keys and keys with sub-keys cannot be deleted.

5. Microsoft 365 - Unified Audit Log must be enabled to fetch data

To enable collection of Unified Audit Log data, follow either of these two steps.

  1. Enable collection of unified audit log data through Microsoft Microsoft 365 portal.
    • Login to Microsoft 365 Portal and navigate to Security & Compliance Center tab.
    • Click Search and investigation menu from the tab in the left and click Audit log search.
    • In the window that appears, click on Start recording user and admin activity.
    • In the pop-up that appears, click Turn On.

  2. Enable collection of unified audit log data through PowerShell
    • Run the following cmdlets in PowerShell.
    • $UserCredential = Get-Credential;$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection;Import-PSSession $Session -CommandName Set-AdminAuditLogConfig
    • Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled:$True
    • Remove-PSSession $Session

6. Microsoft 365 - Invalid Application Password.

Cause: This error message is shown if the application password entered has been deleted or expired.

Solution: Create a new application password and update the same in the product's tenant settings.

7. Microsoft 365 - Missing Azure AD application.

Cause: This error message is shown if the Azure AD application is deleted.

Solution: Configure a new application in the Azure portal. Follow the steps listed here to configure your application, manually.

8. Microsoft 365 - Missing Azure AD application scope or permission.

  • Update the necessary permissions in the application.
  • You can check and update permissions by navigating to Tenant Settings > Rest API Access > Update Permissions.

Log Collection and Reporting

1. I've added a device, but Log360 Cloud Agent is not collecting event logs from it

Probable cause: The client machine is not reachable from the agent.

Solution: Check if the device machine responds to a ping command. If it does not, then the machine is not reachable. The device machine has to be reachable from the Log360 Cloud Agent in order to collect event logs.

Probable cause: You do not have administrative rights on the device machine

Solution: Edit the device's details, and enter the Administrator login credentials of the device machine. Click Verify Login to see if the login was successful.

2. I get an Access Denied error for a device when I click on "Verify Login" but I have given the correct login credentials

Probable cause: There may be other reasons for the Access Denied error.

Solution: Refer the Cause and Solution for the Error Code you got during Verify login.

Error Code 00x80070005

Scanning of the Windows workstation failed due to one of the following reasons:

  1. The login name and password provided for scanning is invalid in the workstation.
  2. Solution: Check if the login name and password are entered correctly.

  3. Remote DCOM option is disabled in the remote workstation
  4. Solution: Check if Remote DCOM is enabled in the remote workstation. If not enabled, then enable the same in the following way:

    • Select Start → Run.
    • Type dcomcnfg in the text box and click OK.
    • Select the Default Properties tab.
    • Select the Enable Distributed COM in this machine checkbox.
    • Click OK.

    To enable DCOM on Windows XP devices:

    • Select Start → Run
    • Type dcomcnfg in the text box and click OK
    • Click on Component Services → Computers → My Computer
    • Right-click and select Properties
    • Select the Default Properties tab
    • Select the Enable Distributed COM in this machine checkbox
    • Click OK
    • User account is invalid in the target machine.
    • Solution: Check if the user account is valid in the target machine by opening a command prompt and executing the following commands:

      net use \<RemoteComputerName>C$ /u:<DomainNameUserName> "<password>"

      net use \<RemoteComputerName>ADMIN$ /u:<DomainNameUserName> "<password>"

      If these commands show any errors, the provided user account is not valid on the target machine.

      Error Code 0x80041003

      The user name provided for scanning does not have sufficient access privileges to perform the scanning operation. This user may not belong to the Administrator group for this device machine.

      Solution: Move the user to the Administrator Group of the workstation or scan the machine using an administrator (preferably a Domain Administrator) account.

      Error Code 0x800706ba

      A firewall is configured on the remote computer. Such exceptions mostly occur in Windows XP (SP 2), when the default Windows firewall is enabled.

      Solution:

      • Disable the default Firewall in the Windows XP machine:
        • Select Start → Run.
        • Type Firewall.cpl and click OK.
        • In the General tab, click Off.
        • Click OK.
      • If the firewall cannot be disabled, launch Remote Administration for administrators on the remote machine by executing the following command:
      • netsh firewall set service RemoteAdmin

        After scanning, you can disable Remote Administration using the following command:

        netsh firewall set service RemoteAdmin disable

      Error Code 0x80040154

      • WMI is not available in the remote windows workstation. This happens in Windows NT. Such error codes might also occur in higher versions of Windows if the WMI Components are not registered properly.
      • Solution: Install WMI core in the remote workstation.

      • Register the WMI DLL files by executing the following command in the command prompt:
      • winmgmt /RegServer.

      Error Code 0x80080005

      There is some internal execution failure in the WMI service (winmgmt.exe) running in the device machine. The last update of the WMI Repository in that workstation could have failed.

      Solution: Restart the WMI Service in the remote workstation:

      • Select Start → Run.
      • Type Services.msc and click OK.
      • In the Services window that opens, select Windows Management Instrumentation service.
      • Right-click and select Restart.

    For any other error codes, refer the MSDN knowledge base.

Error Code 1722, 1726, 1753, 1825

Probable cause: The device machine RPC (Remote Procedure Call) port is blocked by any other Firewall.

Solution: Unblock the RPC ports in the Firewall.

3. The Syslog host is not added automatically to Log360 Cloud Agent/the Syslog reception has suddenly stopped

If you are able to view the logs, it means that the packets are reaching the machine, but not to Log360 Cloud Agent. You need to check your Windows firewall or Linux IP tables.

To check if the Log360 Cloud Agent server is reachable, follow the steps given below.

  • Ping the server.
  • For TCP, you can try the command telnet <Log360 Cloud Agent_server_name> <port_no> where 514 is the default TCP port.
  • tcpdump
  • tcpdump -n dst <Log360 Cloud Agent_server_name> and dst port <port_no>

    If reachable, it means there was some issue with the configuration. If not reachable, then you are facing a network issue.

4. Agent upgrade failed. What should I do?

Causes

  • No connectivity with the agent during product upgrade.
  • Incorrect credentials.

Solutions

Manually install the agent by navigating to the Manage Agent page.

To install agent:

Windows device: Run the Log360CloudAgent.msi. For detailed steps on how to installed an agent, please click here.

5. Auto log forwarding failed. What should I do?

Auto log forwarding may fail due to any of the three reasons below.

  1. Invalid credentials - Username/password (root password) used to establish the SSH connection may be invalid.
  2. Device not found - the device which you tried to configure may not be available in the network.
  3. Failure in establishing an SSH connection - SSH may be disabled in that device the user is trying to configure.

6. The installed agent is not able to confirm authentication with Log360 Cloud server due to a missing Root CA certificate. How can I fix it?

In the latest Log360 Cloud release, we have enhanced security of our agent to server communication. To confirm the authentication between the agent and Log360 Cloud server, follow the steps below:

Step1 - In the machine where the agent is facing this issue, launch Run, type certlm.msc and hit Enter.

Step2 - Find Trusted Root Certification Authorities in the window that appears.

Step3 - Search for USERTrust RSA Certification Authority. In case the certification is present, the cause for failed authentication could be due to a different reason. Kindly contact our support team to resolve it.

Step4 - If the USERTrust RSA Certification Authority certificate is not found then download this certificate & import it into Trusted Root Certification Authorities store.

Step5 - Restart the agent to check if the connectivity issue is resolved. If not, kindly contact our support team to resolve it.