Overview
This article provides information on verifying that GFI EventsManager can receive Syslog events.
Information
To ensure that GFI EventsManager can receive Syslog messages you must make sure that:
- Syslog port 514 is open for data transmission on the computer where GFI EventsManager is installed.
- Syslog port 514 is not already being used by some other application on the computer where GFI EventsManager is installed.
- Syslog sources are sending Syslog messages to the computer where GFI EventsManager is running:
To verify whether Syslog sources are sending events, you must install a network sniffer on the machine where GFI EventsManager is running. For a good network sniffer, you can download Wireshark:
- Read more information about Using Wireshark to Capture Network Traffic.
Use Wireshark to capture all TCP/UDP packets sent from Syslog sources to the computer where GFI EventsManager is running. This helps you identify which Syslog sources are successfully sending Syslog messages to GFI EventsManager. This will also allow you to determine the following:
- A Syslog source configuration issue such as Syslog sources not directing messages to GFI EventsManager.
- A network configuration issue such as firewalls that are configured to block port 514/Syslog communication port.
- A technical issue such as lost packets or packet transmission delays due to excessive network traffic.
To simplify your debugging, you can also install a Syslog message generator on your Syslog sources. This would allow you to generate as many Syslog messages as you want without having to physically cause/create events. You can download Kiwi SyslogGen as your Syslog message generator.
Use Kiwi SyslogGen to send Syslog messages from a Syslog source to the computer where GFI EventsManager and Wireshark are running in order to identify packet delivery issues. Instructions on how to use Wireshark and Kiwi SyslogGen are provided below.
Capturing Network Packets Using Wireshark:
- Open Wireshark on the computer where GFI EventsManager will be installed.
- From the top menu, go to Capture > Options.
- Select the interface you want to monitor under Capture.
- Disable the option Capture packets in promiscuous mode.
- You can also specify a capture filter for Syslog packets. The capture filter to use in this case is UDP port 514.
- Click Start to begin capturing network packets.
Sending Syslog Messages Using Kiwi SyslogGen:
- Open Kiwi SyslogGen on the Syslog source computer.
- In the Target IP Address field, specify the IP of the computer where GFI EventsManager is installed.
- Click Send to begin generating Syslog messages.
Viewing If Syslog Messages Are Being Captured:
- To stop capturing network packets, open Wireshark and click on the Stop button.
- From the Wireshark console, check if Syslog messages were captured by the sniffer.
Conclusion
If you managed to browse the sent messages through the Wireshark console, then your Syslog messages were successfully received. This means that GFI EventsManager should also be able to collect the Syslog messages sent from your sources.
If the network packet sniffer failed to successfully capture Syslog messages, verify that:
- No firewall is blocking the Syslog communication port (default: 514) on the computer where GFI EventsManager is installed.
- Syslog sources are configured to use the computer where GFI EventsManager is running as their Syslog server/target.
If the network packet sniffer did capture Syslog messages, but you still cannot find the Syslog messages in GFI EventsManager verify that:
- No other application is using the Syslog communication port (default: 514) on the computer where GFI EventsManager is installed.
- Check GFI EventsManager > Status > Job Activity > Syslog Message History. This will list the Syslog messages captured by GFI EventsManager. It will also list the ones which were not processed. This may indicate the cause of the problem.
- Ensure that the name of the computer specified in GFI EventsManager > Configuration > Event Sources is exactly the same IP address from where the Syslog messages are originating. This can be checked from the GFI EventsManager > Status > Job Activity > Syslog Message History.