Overview
Syslog events are not archived with the following error:
Message from computer <event source> did not pass black/white list test and will be discarded.
Root Cause
A duplicate event source entry with Active Monitoring license only "blacklisted" the device due to it not having a complete license.
Resolution
- Confirm if the error is present in logging (syslogcollectorplugin.csv).
- If the error is present, check Event Sources for duplication of any devices that are gathering Syslogs (machine may have been added manually by IP address and Sync gathered hostname).
- Remove the erroneous entry.
- Restart the GFI EventsManager service.
- Wait 10 minutes for the Syslog gathering to begin.
- Confirm if the device is now gathering Syslog events.