Troubleshooting tips

Configuration

1. While adding device for monitoring, the 'Verify Login' action throws RPC server unavailable error
2. While adding device for monitoring, the 'Verify Login' action throws 'Access Denied' error.
3. When WBEM test is carried out. it fails and shows error message with code 80041010 in Windows Server 2003.
4. Port management error codes
5. The event source file(s) configuration throws the "Unable to discover files" error.
6. Microsoft 365 - Audit Logging must be turned on to fetch data
7. Microsoft 365 - Invalid Application Password.
8. Microsoft 365 - Missing Microsoft Entra ID application.
9. Microsoft 365 - Missing Microsoft Entra ID application scope or permission.
10. Logs for the configured FIM device are unavailable.
11. Installing agents with GPOs failed. Why? (or) Why did installing agents with GPOs fail?

Log Collection and Reporting

1. I've added a device, but Log360 Cloud Agent is not collecting event logs from it
2. I get an Access Denied error for a device when I click on "Verify Login" but I have given the correct login credentials
3. The Syslog host is not added automatically to Log360 Cloud Agent/the Syslog reception has suddenly stopped
4. Agent upgrade failed. What should I do?
5. Autolog forwarding failed. What should I do?
6. Authentication failure due to missing Trusted Root CA certificate (Curl 60). How can I fix it?
7. What should I do if the agent status shows "Agent not communicating" or "Sync Failed"?
8. Agent sync delayed or Service status unavailable status. What should I do?
9. What should I do if the agent status shows "Partial success" and the description in the hover text reads "Lookup field limitations apply when cross-domain log collection is done"?
10. What should I do if the agent status shows "Lookup field limitations apply when collecting logs from workstations to server."?
11. What should I do if the agent status shows "Lookup field limitations apply when collecting logs across domains or from workstations to servers."?
12. Agent down due to low disk space

Configuration

1. While adding device for monitoring, the 'Verify Login' action throws RPC server unavailable error

The probable reason and the remedial action is:

Probable cause: The device machine RPC (Remote Procedure Call) port is blocked by any other Firewall.

Solution: Unblock the RPC ports in the Firewall.

2. While adding device for monitoring, the 'Verify Login' action throws 'Access Denied' error.

The probable reasons and the remedial actions are:

Probable cause: The device machine is not reachable from Log360 Cloud Agent machine.

Solution: Check the network connectivity between device machine and Log360 Cloud Agent machine, by using PING command.

Probable cause: The device machine running a System Firewall and REMOTEADMIN service is disabled.

Solution: Check whether System Firewall is running in the device. If System Firewall is running, execute the following command in the command prompt window of the device machine:

netsh firewall set service type=REMOTEADMIN mode=ENABLE profile=all

3. When WBEM test is carried out. it fails and shows error message with code 80041010 in Windows Server 2003.

The probable reasons and the remedial actions are:

Probable cause: By default, WMI component is not installed in Windows 2003 Server

Solution: Win32_Product class is not installed by default on Windows Server 2003. To add the class, follow the procedure given below:

• In Add or Remove Programs, click Add/Remove Windows Components.
• In the Windows Components Wizard, select Management and Monitoring Tools, then click Details.
• In the Management and Monitoring Tools dialog box, select WMI Windows Installer Provider and then click OK.
• Click Next.

4. Port management error codes

The following are some of the common errors, its causes, and the possible solution to resolve the condition. Feel free to contact our support team for any information.

• Access denied / Port(s) already in use

  Cause: The port is already being used by another application.

  Solution: Free up the port or use a different port.

• TLS is not configured

  Cause: TLS is not configured to support encrypted logs.

  Solution: Upgrade the agent to the latest version to configure TLS.

• PFX is not configured

  Cause: HTTPS is configured, but the certificate type is not supported.

  Solution: Install a proper certificate in the agent.

• External error

  Cause: Unknown external issue.

  Solution: Contact our support team for assistance.

• Certificate is not installed

  Cause: TLS is configured, but no certificate is found in the ManageEngineLog360 store.

  Solution: Install a proper certificate in the agent. Refer here to install a certificate.

• Multiple certificates installed in ManageEngineLog360 store

  Cause: The ManageEngineLog360 certificate store contains more than one certificate.

  Solution: Delete the unwanted certificates from the store.

• Certificate has expired

  Cause: An expired certificate is installed in the agent.

  Solution: Update the expired certificate in the agent and restart the agent.

• Port already configured as TLS

  Cause: The same port is configured for the agent as TLS.

  Solution: Delete that TLS port or deselect the agent from the TLS port and update the agent to use a TCP port. Refer here to update agents for an existing syslog port.

• Port already configured as TCP

  Cause: The same port is configured for the agent as TCP.

  Solution: Delete that TCP port or deselect the agent from the TCP port and update the agent to use a TLS port. Refer here to update agents for an existing syslog port.

• TLS configuration error

  Cause: Error occurred on configuring TLS or TLS Port

  Solution: Contact our support team for assistance.

If you use a new port, make sure to change the ports in the forwarding device either manually or using auto log forwarding configuration.

5. The event source file(s) configuration throws the "Unable to discover files" error.

Possible remedial actions include:

• Check the credentials of the machine.
• Check the connectivity of the device.
• Ensure that the remote registry service is not disabled.
• The user should have admin privileges.
• The open keys and keys with sub-keys cannot be deleted.

6. Microsoft 365 - Audit Logging must be turned on to fetch data

To turn on Audit Logging, follow either of these two steps.

1. Turn on audit logging through the Microsoft 365 portal.
• Log in to the Microsoft 365 Portal and navigate to the Admin tab.
• Go to Admin centers > Compliance. Navigate to Solutions > Audit. Alternatively, you can go directly to the Audit page by using Audit Log Search.
• If auditing is not turned on for your organization, a banner will be displayed prompting you to start recording user and admin activity.
• Select the Start recording user and admin activity banner. (Note: It may take up to 60 minutes for the change to take effect.)


2. Turn on audit logging through PowerShell
• Run the following cmdlets in PowerShell.
$UserCredential = Get-Credential;$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection;Import-PSSession $Session -CommandName Set-AdminAuditLogConfig
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled:$True
Remove-PSSession $Session

7. Microsoft 365 - Invalid Application Password.

Cause: This error message is shown if the application password entered has been deleted or expired.

Solution: Create a new application password and update the same in the product's tenant settings.

8. Microsoft 365 - Missing Microsoft Entra ID application.

Cause: This error message is shown if the Microsoft Entra ID application is deleted.

Solution: Configure a new application in the Azure portal. Follow the steps listed here to configure your application, manually.

9. Microsoft 365 - Missing Microsoft Entra ID application scope or permission.

• Update the necessary permissions in the application.
• You can check and update permissions by navigating to Tenant Settings > Rest API Access > Update Permissions.

10. Logs for the configured FIM device are unavailable.

11. Installing agents with GPOs failed. Why? (or) Why did installing agents with GPOs fail?

The installation of agents using GPOs may have failed due to one of the following reasons:

• GPO is not linked to the domain or the OU

  Cause: The created GPO is not linked to either the domain or the OU containing the target computers.

  Solution: Either an existing GPO or a new GPO can be created and linked to the domain or an OU containing the target computers and vice-versa.



Note: Please ensure that the OU linked to GPO contains required computers.



Note: A GPO can also be applied to the entire domain.

• MSI file in the shared folder is not accessible

  Cause: The shared folder containing the MSI file is not publicly accessible from client machines.

  Solution: Enable permissions for all users in the domain to access the shared folder.



• Incorrect script parameters

  Cause: The script parameters and shared folder path entered may be incorrect.

  Solution: Ensure they are correctly specified.

  Eg: /INSTALLERPATH:"\\Server-1\RemoteFolder\Log360CloudAgent.exe"

• GPO not reflecting on the client machines

  Cause: Group policy changes are not reflecting on the client machines

  Solution: Need to reboot the machine since we have configured a startup script.

If the above troubleshooting steps do not resolve the issue, try the following:

• Please review all the steps mentioned on this page carefully.

• Run the following command and analyse the gporesult.html file to check for issues with the configured GPO:

  gpresult /H gporesult.html



(Preview of gporesult.html when the policy is applied successfully.)

• If GPO changes are not reflecting on the client machine, run the following command and then reboot the machine:

  gpupdate /force

  This forces the Group Policy Client service to refresh the GPO settings.

• If the issue persists, please contact our support team and share the following files for further debugging:
  • C:\Windows\EventLogScriptlog.txt
  • C:\agentInstall.log
  • C:\agentninstall.log
  • gporesult.html

Log Collection and Reporting

1. I've added a device, but Log360 Cloud Agent is not collecting event logs from it

Probable cause: The client machine is not reachable from the agent.

Solution: Check if the device machine responds to a ping command. If it does not, then the machine is not reachable. The device machine has to be reachable from the Log360 Cloud Agent in order to collect event logs.

Probable cause: You do not have administrative rights on the device machine

Solution: Edit the device's details, and enter the Administrator login credentials of the device machine. Click Verify Login to see if the login was successful.

Error Code 0x251C

Probable cause: The device was added when importing application logs associated with it. In this case, only the specified application logs are collected from the device, and the device type is listed as unknown.

Solution:

1. Click on the update icon next to the device name.
2. Select the appropriate device type.
3. Provide any other required information for the selected device type.
4. Click on update.

2. I get an Access Denied error for a device when I click on "Verify Login" but I have given the correct login credentials

Probable cause: There may be other reasons for the Access Denied error.

Solution: Refer the Cause and Solution for the Error Code you got during Verify login.

Error Code 00x80070005

Scanning of the Windows workstation failed due to one of the following reasons:

1. The login name and password provided for scanning is invalid in the workstation.

Solution: Check if the login name and password are entered correctly.

2. Remote DCOM option is disabled in the remote workstation

Solution: Check if Remote DCOM is enabled in the remote workstation. If not enabled, then enable the same in the following way:

• Select Start → Run.
• Type dcomcnfg in the text box and click OK.
• Select the Default Properties tab.
• Select the Enable Distributed COM in this machine checkbox.
• Click OK.

To enable DCOM on Windows XP devices:

• Select Start → Run
• Type dcomcnfg in the text box and click OK
• Click on Component Services → Computers → My Computer
• Right-click and select Properties
• Select the Default Properties tab
• Select the Enable Distributed COM in this machine checkbox
• Click OK
• User account is invalid in the target machine.

Solution: Check if the user account is valid in the target machine by opening a command prompt and executing the following commands:

net use \<RemoteComputerName>C$ /u:<DomainNameUserName> "<password>"

net use \<RemoteComputerName>ADMIN$ /u:<DomainNameUserName> "<password>"

If these commands show any errors, the provided user account is not valid on the target machine.

Error Code 0x80041003

The user name provided for scanning does not have sufficient access privileges to perform the scanning operation. This user may not belong to the Administrator group for this device machine.

Solution: Move the user to the Administrator Group of the workstation or scan the machine using an administrator (preferably a Domain Administrator) account.

Error Code 0x800706ba

A firewall is configured on the remote computer. Such exceptions mostly occur in Windows XP (SP 2), when the default Windows firewall is enabled.

Solution:

• Disable the default Firewall in the Windows XP machine:
• Select Start → Run.
• Type Firewall.cpl and click OK.
• In the General tab, click Off.
• Click OK.
• If the firewall cannot be disabled, launch Remote Administration for administrators on the remote machine by executing the following command:

netsh firewall set service RemoteAdmin

After scanning, you can disable Remote Administration using the following command:

netsh firewall set service RemoteAdmin disable

Error Code 0x80040154

• WMI is not available in the remote windows workstation. This happens in Windows NT. Such error codes might also occur in higher versions of Windows if the WMI Components are not registered properly.

Solution: Install WMI core in the remote workstation.

• Register the WMI DLL files by executing the following command in the command prompt:

winmgmt /RegServer.

Error Code 0x80080005

There is some internal execution failure in the WMI service (winmgmt.exe) running in the device machine. The last update of the WMI Repository in that workstation could have failed.

Solution: Restart the WMI Service in the remote workstation:

• Select Start → Run.
• Type Services.msc and click OK.
• In the Services window that opens, select Windows Management Instrumentation service.
• Right-click and select Restart.

For any other error codes, refer the MSDN knowledge base.

Error Code 1722, 1726, 1753, 1825

Probable cause: The device machine RPC (Remote Procedure Call) port is blocked by any other Firewall.

Solution: Unblock the RPC ports in the Firewall.

3. The Syslog host is not added automatically to Log360 Cloud Agent/the Syslog reception has suddenly stopped

If you are able to view the logs, it means that the packets are reaching the machine, but not to Log360 Cloud Agent. You need to check your Windows firewall or Linux IP tables.

To check if the Log360 Cloud Agent server is reachable, follow the steps given below.

• Ping the server.
• For TCP, you can try the command telnet <Log360 Cloud Agent_server_name> <port_no> where 514 is the default TCP port.
• tcpdump

tcpdump -n dst <Log360 Cloud Agent_server_name> and dst port <port_no>

If reachable, it means there was some issue with the configuration. If not reachable, then you are facing a network issue.

4. Agent upgrade failed. What should I do?

Causes

• No connectivity with the agent during product upgrade.
• Prerequisite URLs are not whitelisted. See prerequisite page.
• Insufficient read, write, and modify permissions for files in the "C:\ProgramData" folder.
• Insufficient access/read/write permissions for registry keys under

  HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ZOHO Corp\Log360Cloud or HKEY_LOCAL_MACHINE\SOFTWARE\ZOHO Corp\Log360Cloud.

• Authentication failure due to a missing Trusted Root CA certificate.

Solutions

Manually install the agent by navigating to the Manage Agent page.

To install agent:

Windows device: Run the Log360CloudAgent.msi. For detailed steps on how to installed an agent, please click here.

5. Auto log forwarding failed. What should I do?

Auto log forwarding may fail due to any of the three reasons below.

1. Invalid credentials - Username/password (root password) used to establish the SSH connection may be invalid.
2. Device not found - the device which you tried to configure may not be available in the network.
3. Failure in establishing an SSH connection - SSH may be disabled in that device the user is trying to configure.

6. Authentication failure due to missing Trusted Root CA certificate (Curl 60). How can I fix it?

• Ensure all prerequisite URLs are whitelisted.
• Make sure the latest OS security patch is applied on the agent machine for up-to-date trusted root certificates. (Why is this needed? - Refer Microsoft KB). Incase the latest security patch cannot be installed due to any reasons, follow the below steps to manually install the required certificates alone.
  • Step1 - In the machine where the agent is facing this issue, launch Run, type certlm.msc and hit Enter.
  • Step2 - Find Trusted Root Certification Authorities in the window that appears.
  • Step3 - Search for USERTrust RSA Certification Authority. In case the certification is present, the cause for failed authentication could be due to a different reason. Kindly contact our support team to resolve it.
  • Step4 - If the USERTrust RSA Certification Authority certificate is not found then download this certificate & import it into Trusted Root Certification Authorities store.
  • Step5 - Restart the agent to check if the connectivity issue is resolved. If not, kindly contact our support team to resolve it.
• If above steps didn't help, reinstall the latest version of the Log360 Cloud agent.

7. What should I do if the agent status shows "Agent not communicating"?

Agent not communicating status indicates an extended period without communication between the agent and the server.

To resolve this issue, follow these steps:

• Ensure the Log360 Cloud server is accessible from the agent device.
• Verify if the URL's mentioned in this page are whitelisted.
• Check if any antivirus or firewall is blocking the communication between the server and the agent. If so, provide an exclusion for the Log360 Cloud agent in the antivirus software.
• Ensure the Log360 Cloud Agent service is running, and start it if necessary.

8. Agent sync delayed or Service status unavailable status. What should I do?

Causes

• Network connectivity issues on the agent machine.
• The agent service is not running.
• Firewall or antivirus software is blocking the connection.
• Authentication failure due to a missing Trusted Root CA certificate

9. What should I do if the agent status shows "Partial success" and the description in the hover text reads "Lookup field limitations apply when cross-domain log collection is done"?

The probable reason and the remedial action are:

Probable cause: The device where the agent is installed and the device from which the agent is collecting logs are in different domains. The message indicates that the lookupfield (enrichment log data) won't be available.

Solution: Configure log collection for the respective device with an agent in the same domain.

10. What should I do if the agent status shows "Lookup field limitations apply when collecting logs from workstations to server."?

The probable reason and the remedial action are:

Probable cause: The device where the agent is installed is a client device, and it is collecting logs from servers. The message indicates that the lookupfield (enrichment log data) won't be available.

Solution: Configure log collection for the respective devices with an agent installed on a server.

11. What should I do if the agent status shows "Lookup field limitations apply when collecting logs across domains or from workstations to servers."?

The probable reasons and the remedial actions are:

Probable cause 1:

The agent and the selected devices are in different domains. It indicates that the lookupfield (enrichment log data) won't be available.

Solution:

Configure log collection for the selected devices with an agent in the same domain.

Probable cause 2:

The agent is installed on a client device and is collecting logs from the selected devices, which are servers.

Solution:

Configure log collection for the selected devices with an agent that is installed on server machines.

12. Agent down due to low disk space

Cause:

The Log360 Cloud Agent has stopped functioning because the installation drive is running critically low on disk space.

Resolution:

Ensure that at least 100 MB of free disk space is available on the drive where the agent is installed. Once sufficient space is freed, the agent will resume normal operations.