How do I troubleshoot if the syslogs are not arriving at the syslog folder in GMS or Analyzer?
03/26/2020 1097 13629
In some installation we have observed, syslogs are leaving the firewall (shows in packet capture) but never arrives at /GMSVP/syslog directory in Windows environment.
1. Disk Space:
Make sure there are more than 10% disk space available in the installation directory. GMS/Analyzer always requires 10% of total disk space to keep the system integrity.
2. Make sure UDP default port is open and listening:
We can use netstat -an command to see if the port is open.
- Open the command line
- Type: Netstat -an (C:Usersepatwary>netstat -an)
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:514 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5355 *:*
Make sure default UDP port 514 is listening mode.
- We can also use 'TCPVIEW' to see real time incoming syslogs. This will show data in sending and receiving bytes including port.
Dowload Link: https://technet.microsoft.com/en-us/sysinternals/tcpview.aspx
3. Open syslog port if not already opened:
If the port is not open we need to open the port manually in the advanced settings:
- Windows start menu > Windows Firewall with Advanced Security
- Inbound Rules > New Rule > Select radio button with Port > Next
- UDP > Port 514 (Default) > next
- Allow the connection > Next
- Allow to Domain, Private and Public > Next
- Give it a name (e.g. GMS_Analyzer port)
4. Use of Wireshark:
We can also install 'Wireshark' to see if the syslogs are arriving at the installation server. We can use the filter udp.port==514. This will filter all the syslogs receiving on port 514.
5. Check syslog port on sgmsConfig.xml file during the installation:
- Sometime during the installation client can decide to use different port rather than default syslog port 514. If the port is different than 514 we need check step 2,3 and 4 for all the settings.
- To verify the port open the sgmsConfig.xml file ( /GMSVP/conf directory)
- Check the following parameter:
<Parameter name="syslog.syslogServerPort" value="514"/>
If the port is different than 514 adjust all the above steps including firewalls with correct port settings.
6. Restart the syslog collector service if needed.