EventLog Analyzer - Troubleshooting Tips


General

  1. Where do I find the log files to send to EventLog Analyzer Support?

  2. I find that EventLog Analyzer keeps crashing or all of a sudden stops collecting logs. What could be the reason?

  3. How to create SIF (Support Information File) and send the file to Manageengine, if you are not able to perform the same from the Web client?

  4. How to register dll when message files for event sources are unavailable?

Installation

  1. EventLog Analyzer displays "Enter a proper ManageEngine license file" during installation

  2. Binding EventLog Analyzer server (IP binding) to a specific interface.

Startup and Shut Down

  1. MySQL-related errors on Windows machines

  2. EventLog Analyzer displays "Port 8400 needed by EventLog Analyzer is being used by another application. Please free the port and restart EventLog Analyzer" when trying to start the server

  3. EventLog Analyzer displays "Can't Bind to Port " when logging into the UI.

  4. Start up and shut down batch files not working on Distributed Edition.

Configuration

  1. While adding device for monitoring, the 'Verify Login' action throws RPC server unavailable error

  2. While adding device for monitoring, the 'Verify Login' action throws 'Access Denied' error.

  3. When WBEM test is carried out. it fails and shows error message with code 80041010 in Windows Server 2003.

  4. How to enable Object Access logging in Linux OS? 

  5. What are commands to start and stop Syslog Deamon in Solaris 10

  6. While configuring incident management with ServiceDesk, I am facing SSL Connection error. 

  7. File Integrity Monitoring (FIM) troubleshooting. 
  8. Error statuses in File Integrity Monitoring (FIM).
  9. Port management error codes
  10. The event source file(s) configuration throws the "Unable to discover files" error.  

Log Collection and Reporting

  1. I've added a device, but EventLog Analyzer is not collecting event logs from it

  2. I get an Access Denied error for a device when I click on Verify Login but I have given the correct login credentials

  3. I have added an Custom alert profile and enabled it. But the alert is not generated in EventLog Analyzer even though the event has occured in the device machine

  4. When I create a Custom Report, I am not getting the report with the configured message in the Message Filter

  5. MS SQL server for EventLog Analyzer stopped

  6. I successfully configured Oracle device(s),still cannot view the data

  7. The Syslog host is not added automatically to EventLog Analyzer/the Syslog reception has suddenly stopped

     

Performance

Insufficient CPU for EventLog Analyzer


Error messages while adding STIX/TAXII servers to EventLog Analyzer

 

While I was trying to add a STIX/TAXII server to EventLog Analyzer, I got the following error messages. What do they mean?
  1. This feature has been disabled for Online Demo!

  2. Connection failed. Please try configuring proxy server.

  3. Failed to connect to the URL.

  4. Authorization failed.

SSL Troubleshooting steps

  1. Certificate name mismatch.
  2. Invalid certificate.
  3. Problem in trusting the security certificate.

For any other issues, please contact EventLog Analyzer Technical Support

 

General

Where do I find the log files to send to EventLog Analyzer Support?
 

For Build 8010 onwards

The log files are located in the <EventLogAnalyzer_Home>logs directory. Typically when you run into a problem, you will be asked to send the serverout.txt file from this directory to EventLog Analyzer Support.

For Build 8000 or earlier

The log files are located in the <EventLogAnalyzer_Home>server/default/log directory. Typically when you run into a problem, you will be asked to send the serverout.txt file from this directory to EventLog Analyzer Support.


I find that EventLog Analyzer keeps crashing or all of a sudden stops collecting logs. What could be the reason?

The inbuilt PostgreSQL/MySQL database of EventLog Analyzer could get corrupted if other processes are accessing these directories at the same time. So exclude ManageEngine installation folder from

Ensure that no snap shots are taken if the product is running on a VM.


How to create SIF (Support Information File) and send it to ManageEngine when you are not able to perform the same from the Web client?

The SIF will help us to analyze the issue you have come across and propose a solution for the same.
If you are unable to create a SIF from the Web client UI,
For Build 8010 onwards

You can zip the files under 'logs' folder, located in C:/ManageEngine/Eventlog/logs (default path) and upload the zip file  to the following ftp link: http://bonitas.zohocorp.com/upload/index.jsp?to=eventloganalyzer-support@manageengine.com 

For Build 8000 or earlier

You can zip the files under 'log' folder, located in C:/ManageEngineEventlog/server/default/log (default path) and upload the zip file  to the following ftp link: http://bonitas.zohocorp.com/upload/index.jsp?to=eventloganalyzer-support@manageengine.com


How to register dll when message files for event sources are unavailable?

To register dll, follow the procedure given in the link below: http://ss64.com/nt/regsvr32.html

Installation

EventLog Analyzer displays "Enter a proper ManageEngine license file" during installation

This can happen under two instances:

Case 1: Your system date is set to a future or past date. In this case, uninstall EventLog Analyzer, reset the system date to the current date and time, and re-install EventLog Analyzer.
Case 2: You may have provided an incorrect or corrupted license file. Verify that you have applied the license file obtained from ZOHO Corp.
If neither is the reason, or you are still getting this error, contact licensing@manageengine.com

 

Binding EventLog Analyzer server (IP binding) to a specific interface.

For Build 8010 onwards

To bind EventLog Analyzer server to a specific interface, follow the procedure given below:

For Eventlog Analyzer running as application:

 

url=jdbc:postgresql://localdevice:33336/eventlog?stringtype=unspecified

to

url=jdbc:postgresql://<binding IP address>:33336/eventlog?stringtype=unspecified

 

device all all <binding IP address in IPv4 format>/32 trust

after the line

device all all 127.0.0.1/32 trust

and save the file.

 

# TYPE DATABASE USER ADDRESS METHOD

# IPv4 local connections:

device all all 127.0.0.1/32 trust

# IPv6 local connections:

device all all ::1/128 trust

to

# TYPE DATABASE USER ADDRESS METHOD

# IPv4 local connections:

device all all 127.0.0.1/32 trust

device all all <binding IP address in IPv4 format>/32 trust

# IPv6 local connections:

device all all ::1/128 trust

 

 

For Eventlog Analyzer running as service:

Before proceeding further, stop the EventLog Analyzer service and make sure that 'SysEvtCol.exe','Postgres.exe' and 'java.exe' are not running.

There are 7 files that must be modified for IP binding. 

Note: Before editing the files ensure that you have a backup copy of the files.

Assume xxx.xxx.xxx.xxx is the IP address you wish to bind with EventLog Analyzer.

 

File 1)

<ELA home>\bin\setCommonEnv.bat

 

wrapper.app.parameter.1=com.adventnet.mfw.Starter
#wrapper.app.parameter.2=-L../lib/AdventNetDeploymentSystem.jar
wrapper.app.parameter.2=-b xxx.xxx.xxx.xxx
wrapper.app.parameter.3=-Dspecific.bind.address= xxx.xxx.xxx.xxx

 

 

File 4)

<ELA home>\conf\server.xml

         Search for the following block:

 

<Connector SSLEnabled="false" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" name="WebServer" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1" scheme="http" secure="false"/>

 

 

<Connector SSLEnabled="false" URIEncoding="UTF-8" acceptCount="100" address="xxx.xxx.xxx.xxx" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" name="WebServer" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1" scheme="http" secure="false"/>

 

File 5) 

<ELA home>\conf\database_params.conf

 

File 6) 

<ELA home>\pgsql\data\postgresql.conf

 

File 7) 

<ELA home>\pgsql\data\pg_hba.conf

Search for the following block 

 

     IPv4 local connections:

      host all all 127.0.0.1/32 trust

 

 

We need to replicate the  host all all 127.0.0.1/32 trust line with the new IP address in place of 127.0.0.1 and add it after that line. For replication, please copy this line itself and paste it in next line and then edit out the IP address.

It should look like this

 

IPv4 local connections: 

host all all 127.0.0.1/32 trust

host all all xxx.xxx.xxx.xxx/32 trust

 

Start EventLog Analyzer and check <ELA home>\logs\wrapper.log for the current status.

 

For Build 8000 or earlier

To bind EventLog Analyzer server to a specific interface follow the procedure given below:
For Eventlog Analyzer running as application:

-bindip <IP Address of the interface to which the EventLog Analyzer needs to be bound>
Example entry is as given below:
binSysEvtCol.exe -loglevel 3 -bindip 192.168.111.153 -port 513 514 %*
For Eventlog Analyzer running as service:

Back to Top

Startup and Shut Down

MySQL-related errors on Windows machines

Probable cause: An instance of MySQL is already running on this machine.
Solution:Shut down all instances of MySQL and then start the EventLog Analyzer server.

Probable cause: Port 33335 is not free
Solution: Kill the other application running on port 33335. If you cannot free this port, then change the MySQL port used in EventLog Analyzer.

 

EventLog Analyzer displays "Port 8400 needed by EventLog Analyzer is being used by another application. Please free the port and restart EventLog Analyzer" when trying to start the server

Probable cause: The default web server port used by EventLog Analyzer is not free.
Solution:

Kill the other application running on port 8400. Carry out the following steps.

wrapper.java.additional.21=-Djava.net.preferIPv4Stack=true

Before adding:

wrapper.java.additional.20=-Dorg.tanukisoftware.wrapper.WrapperManager.mbean=false

After adding:

wrapper.java.additional.20=-Dorg.tanukisoftware.wrapper.WrapperManager.mbean=false
wrapper.java.additional.21=-Djava.net.preferIPv4Stack=true

If you cannot free this port, then change the web server port used in EventLog Analyzer.

 

EventLog Analyzer displays "Can't Bind to Port <Port Number>" when logging into the UI.

Probable cause:The syslog listener port of EventLog Analyzer is not free.
Solution:

Start up and shut down batch files not working on Distributed Edition when taking backup.

Probable cause: Path names given incorrectly.

Solution:

 

Configuration

While adding device for monitoring, the 'Verify Login' action throws RPC server unavailable error

The probable reason and the remedial action is:
Probable cause: The device machine RPC (Remote Procedure Call) port is blocked by any other Firewall.
Solution: Unblock the RPC ports in the Firewall.

While adding device for monitoring, the 'Verify Login' action throws 'Access Denied' error. 

The probable reasons and the remedial actions are:

Probable cause: The device machine is not reachable from EventLog Analyzer machine.
Solution: Check the network connectivity between device machine and EventLog Analyzer machine, by using PING command.
Probable cause: The device machine running a System Firewall and REMOTEADMIN service is disabled.
Solution: Check whether System Firewall is running in the device. If System Firewall is running, execute the following command in the command prompt window of the device machine:
netsh firewall set service type=REMOTEADMIN mode=ENABLE profile=all

When WBEM test is carried out. it fails and shows error message with code 80041010 in Windows Server 2003.

The probable reasons and the remedial actions are:

Probable cause: By default, WMI component is not installed in Windows 2003 Server

Solution: Win32_Product class is not installed by default on Windows Server 2003. To add the class, follow the procedure given below:

 

  1. In Add or Remove Programs, click Add/Remove Windows Components.

  2. In the Windows Components Wizard, select Management and Monitoring Tools, then click Details.

  3. In the Management and Monitoring Tools dialog box, select WMI Windows Installer Provider and then click OK.

  4. Click Next.

How to enable Object Access logging in Linux OS?

The probable reasons and the remedial actions are:

Probable cause: The object access log is not enabled in Linux OS.

Solution: Steps to enable object access in Linux OS, is given below:

In the file /etc/xinted.d/wu-ftpd, edit the server arguments as mentioned below:

server_args = -i -o -L

 

What are commands to start and stop Syslog Deamon in Solaris 10?

The probable reasons and the remedial actions are:

Probable cause: Unable to start or stop Syslog Daemon in Solaris 10

Solution: In Solaris 10, the commands to stop and start the syslogd daemon are:

# svcadm disable svc:/system/system-log:default

# svcadm enable svc:/system/system-log:default

In Solaris 10, to restart the syslogd daemon and force it to reread /etc/syslog.conf:

# svcadm refresh svc:/system/system-log:default
or
# svcadm -v restart svc:/system/system-log:default

While configuring incident management with ServiceDesk, I am facing SSL Connection error.

This error can occur if the ServiceDesk server's HTTPS certificate is not included in EventLog Analyzer's JRE certificate store. To import the certificate to EventLog Analyzer's JRE certificate store, follow the steps below:

1. Place the server's certificate in your browser's certificate store by allowing trust when your browser throws up the error saying that the certificate is not trusted.

2. Export the certificate as a binary DER file from your browser.

For Firefox, you can find this under Preferences > Advanced > Encryption > Servers 

For IE, Internet Options > Content > Certificates > Personal > Export 
For Chrome, Settings > Show Advanced Settings > Manage Certificates

3. Use the keytool utility to import the certificate into EventLog Analyzer's JRE certificate store.
keytool -import -alias SDP server -keystore EventLog Analyzer Home /lib/security/cacerts -file path-to-certificate-file

Enter the keystore password. Note that the default password is changeit.


Back to Top

 

File Integrity Monitoring (FIM) troubleshooting

Try the following troubleshooting, if username is enabled for a particular folder.

 

Note: The following GUI is for the SACL entry in folder properties.

 

 

Error statuses in File Integrity Monitoring (FIM).

1. Permission denied

Causes

Solutions

2. Audit service unavailable
Cause

Solution

3. Access restriction from SELinux

Cause

Solutions

4. Agent upgrade failure
Causes

Solutions

5. Agent Installation Failed
Causes

Solutions

6. Agent Installation on Incompatible Platform

Solutions

Port management error codes

The following are some of the common errors, its causes and the possible solution to resolve the condition. Feel free to contact our support team for any information. 

Port already used by some other application

Cause: Cannot use the specified port because it is already used by some other application.

Solution: This can be solved either by changing the port in the specified application or by using a new port.

If you use a new port, make sure to change the ports in the forwarding device either manually or using auto log forwarding configuration.

TLS not configured

Cause: HTTPS not configured to support TLS encrypted logs.

Solution: Configure the server to use either a self-signed certificate or a valid PFX certificate.

For more details visit Connection settings.

PFX not configured

Cause: HTTPS is configured, but the type of certificate is not supported.

Solution 1: If no valid certificate is used, it's recommended to use SelfSignedCertificate. 

To find the type of certificate used,

  • Open Conf/Server.xml file check for connector tag.

  • Check the extention for the attribute keystoreFile.
  • Solution 2: If valid KeyStore certificate is used, execute the following command in the <EventLog Analyzer home>/jre/bin terminal.

    keytool -importkeystore -srckeystore <certificate path> -destkeystore server.pfx -deststoretype PKCS12 -deststorepass <password> -srcalias tomcat -destalias tomcat

    For more details visit Connection settings.

    External error

    Cause: Unknown external issue.

    Solution: please contact EventLog Analyzer Technical Support

    The event source file(s) configuration throws the "Unable to discover files" error.

    Possible remedial actions include:

    • Check the credentials of the machine.
    • Check the connectivity of the device.
    • Ensure that the remote registry service is not disabled.
    • The user should have admin privileges.
    • The open keys and keys with sub-keys cannot be deleted.

    Log Collection and Reporting

    I've added a device, but EventLog Analyzer is not collecting event logs from it

    Probable cause: The device machine is not reachable from the EventLog Analyzer server machine
    Solution:Check if the device machine responds to a ping command. If it does not, then the machine is not reachable. The device machine has to be reachable from the EventLog Analyzer server in order to collect event logs.
    Probable cause: You do not have administrative rights on the device machine
    Solution: Edit the device's details, and enter the Administrator login credentials of the device machine. Click Verify Login to see if the login was successful.

    Error Code 0x251C

    Probable cause: The device was added when importing application logs associated with it. In this case, only the specified application logs are collected from the device, and the device type is listed as unknown. 

    Solution: 

    1. Click on the update icon next to the device name.
    2. Select the appropriate device type.
    3. Provide any other required information for the selected device type.
    4. Click on update.
       

    I get an Access Denied error for a device when I click on "Verify Login" but I have given the correct login credentials

    Probable cause: There may be other reasons for the Access Denied error.
    Solution: Refer the Cause and Solution for the Error Code you got during Verify login.


     Error Code 00x80070005 

     Scanning of the Windows workstation failed due to one of the following reasons:
     1. The login name and password provided for scanning is invalid in the workstation.  
         Solution: Check if the login name and password are entered correctly. 
     2. Remote DCOM  option is disabled in the remote workstation
         Solution: 

                   Check if Remote DCOM is enabled in the remote workstation. If not enabled, then enable the same in the following way:
                   1. Select Start > Run.
                   2. Type dcomcnfg in the text box and click OK.
                   3. Select the Default Properties tab.
                   4. Select the Enable Distributed COM in this machine checkbox.
                   5. Click OK
     

                  To enable DCOM on Windows XP devices:

                   Select Start > Run

                   1. Type dcomcnfg in the text box and click OK

                   2. Click on Component Services > Computers > My Computer

                   3. Right-click and select Properties

                   4. Select the Default Properties tab

                   5. Select the Enable Distributed COM in this machine checkbox

                   6. Click OK

                  3. User account is invalid in the target machine. 

                       Solution: Check if the user account is valid in the target machine by opening a command prompt and executing the following commands:
                       net use \<RemoteComputerName>C$ /u:<DomainNameUserName> "<password>"
                       net use \<RemoteComputerName>ADMIN$ /u:<DomainNameUserName> "<password>"

                       If these commands show any errors, the provided user account is not valid on the target machine.

    Error Code 0x80041003
    The user name provided for scanning does not have sufficient access privileges to perform the scanning operation. This user may not belong to the Administrator group for this device machine. 

    Solution: Move the user to the Administrator Group of the workstation or scan the machine using an administrator (preferably a Domain Administrator) account.

    Error Code 0x800706ba
    A firewall is configured on the remote computer. Such exceptions mostly occur in Windows XP (SP 2), when the default Windows firewall is enabled. 

       Solution: 
       1. Disable the default Firewall in the Windows XP machine:

                            Select Start > Run

                            Type Firewall.cpl and click OK

                            In the General tab, click Off

                          Click OK

    2. If the firewall cannot be disabled, launch Remote Administration for administrators on the remote machine by executing the following command:

                  netsh firewall set service RemoteAdmin

                   After scanning, you can disable Remote Administration using the following command:
                   netsh firewall set service RemoteAdmin disable

    Error Code 0x80040154

    1. WMI is not available in the remote windows workstation. This happens in Windows NT. Such error codes might also occur in higher versions of Windows if the WMI Components are not registered properly.

    Solution: Install WMI core in the remote workstation.

    2. WMI Components are not registered.

    Solution: Register the WMI DLL files by executing the following command in the command prompt:
    winmgmt /RegServer

    Error Code 0x80080005

    There is some internal execution failure in the WMI service (winmgmt.exe) running in the device machine. The last update of the WMI Repository in that workstation could have failed.

    Solution:

    Restart the WMI Service in the remote workstation:

    1. Select Start > Run
    2. Type Services.msc and click OK
    3. In the Services window that opens, select Windows Management Instrumentation service.
    4. Right-click and select Restart

      For any other error codes, refer the MSDN knowledge base
       

    I have added an Custom alert profile and enabled it. But the alert is not generated in EventLog Analyzer even though the event has occured in the device machine

    Probable cause: The alert criteria have not been defined properly
    Solution: Please ensure that the required fields in the Add Alert Profile screen have been given properly.Check if the e-mail address provided is correct. Ensure that the Mail server has been configured correctly.
     

    When I create a Custom Report, I am not getting the report with the configured message in the Message Filter

    Probable cause: The message filters have not been defined properly
    Solution:When you are entering the string in the Message Filters for matching with the log message, ensure you copy/enter the exact string as shown in the Windows Event Viewer.
    e.g., Logon Name:John

    MS SQL server for EventLog Analyzer stopped

    Probable cause: The transaction logs of MS SQL could be full
    Solution: If the EventLog Analyzer MS SQL database transaction logs are full, shrink the same with the procedure given below:

    I successfully configured Oracle device(s), still cannot view the data

    If Oracle device is Windows, open Event viewer in that machine and check for Oracle source logs under Application type. If Linux, check the appropriate log file to which you are writing Oracle logs. If the Oracle logs are available in the specified file, still EventLog Analyzer is not collecting the logs, contact EventLog Analyzer Support.

    The user name provided for scanning does not have sufficient access privileges to perform the scanning operation. Probably, this user does not belong to the Administrator group for this device machine

    The Syslog host is not added automatically to EventLog Analyzer/the Syslog reception has suddenly stopped  

    Check EventLog Analyzer's live Syslog Viewer for incoming Syslog packets.

    If you are able to view the logs, it means that the packets are reaching the machine, but not to EventLog Analyzer. You need to check your Windows firewall or Linux IP tables.

    If you are not able to view the logs in the Syslog viewer, then check if the EventLog Analyzer server is reachable. This can be done in the following ways:

     

    1. Ping the server.

    2. For TCP, you can try the command telnet <ela_server_name> <port_no> where 514 is the default TCP port.

    3. tcpdump

      tcpdump -n dst <ela_server_name> and dst port <port_no>

    If reachable, it means there was some issue with the configuration. If not reachable, then you are facing a network issue.

     

    Performance

    For troubleshooting, please follow the steps below: 

    1. Check if other applications are blocking the CPU cycle for EventLog Analyzer.
    2. If a virtual machine is used, check for over provisioning or if snapshots are affecting the performance.
    3. If the log flow rate is high, please check our tuning guide.

    Error messages while adding STIX/TAXII servers to EventLog Analyzer

    This feature has been disabled for Online Demo!  

    This error message pops up when the feature you tried to use is not available in the online demo version of EventLog Analyzer. To try out that feature, download the free version of EventLog Analyzer.

    Connection failed. Please try configuring proxy server.  

    This error message can be caused because of different reasons. It might be due to network issues, proxy related issues, bad requests in the network, or if the URL is unable to locate a STIX/TAXII server.

    Failed to connect to the URL.

    This error message denotes that the URL entered is malformed.

    Authorization failed. 

    This error message signifies that the credentials entered are wrong.

    SSL Troubleshooting steps

    Certificate name mismatch

    Description:

    This error occurs when the common name of the SSL Certificate doesn't exactly match the hostname of the server in which the EventLog Analyzer is installed.

    Solution:

    Please get a new SSL certificate for the current hostname of the server in which EventLog Analyzer is installed.

    Invalid Certificate

    Description:

    This error occurs when the SSL certificate you have configured with EventLog Analyzer is invalid. A certificate can become invalid if it has expired or other reasons.

    Solution:

    Please configure EvnetLog analyzer to use a valid SSL certificate.

    SMS Settings

    Troubleshooting SSLHandshakeException in SMS Server Settings.

    Description:

    This exception occurs when you configure a SMTP mail server or a web server with SSL in EventLog Analyzer, and the server uses a self-signed certificate. The Java Runtime Environment used in EventLog Analyzer will not trust self-signed certificates unless it is explicitly imported.

    Solution: 
    You need to import the self-signed certificates used by the server in the JRE package used by EventLog Analyzer. Follow the steps given below:

     

    Step 1: Download the certificate

     

    For SMTP servers:

    Note:

    openssl.exe s_client -connect SMTPServer: Portno -starttls smtp > certificatename.cer

     

    For Web Servers:

     

    Step 2: Import the certificates in JRE package of EventLog Analyzer.

    Get download link