Help Document

Troubleshooting tips

Configuration

  1. While adding device for monitoring, the 'Verify Login' action throws RPC server unavailable error
  2. While adding device for monitoring, the 'Verify Login' action throws 'Access Denied' error.
  3. When WBEM test is carried out. it fails and shows error message with code 80041010 in Windows Server 2003.
  4. Port management error codes
  5. The event source file(s) configuration throws the "Unable to discover files" error.
  6. Microsoft 365 - Audit Logging must be turned on to fetch data
  7. Microsoft 365 - Invalid Application Password.
  8. Microsoft 365 - Missing Microsoft Entra ID application.
  9. Microsoft 365 - Missing Microsoft Entra ID application scope or permission.
  10. Logs for the configured FIM device are unavailable.

Log Collection and Reporting

  1. I've added a device, but Log360 Cloud Agent is not collecting event logs from it
  2. I get an Access Denied error for a device when I click on "Verify Login" but I have given the correct login credentials
  3. The Syslog host is not added automatically to Log360 Cloud Agent/the Syslog reception has suddenly stopped
  4. Agent upgrade failed. What should I do?
  5. Autolog forwarding failed. What should I do?
  6. Authentication failure due to missing Trusted Root CA certificate (Curl 60). How can I fix it?
  7. What should I do if the agent status shows "Agent not communicating" or "Sync Failed"?
  8. Agent sync delayed or Service status unavailable status. What should I do?

Configuration

1. While adding device for monitoring, the 'Verify Login' action throws RPC server unavailable error

The probable reason and the remedial action is:

Probable cause: The device machine RPC (Remote Procedure Call) port is blocked by any other Firewall.

Solution: Unblock the RPC ports in the Firewall.

2. While adding device for monitoring, the 'Verify Login' action throws 'Access Denied' error.

The probable reasons and the remedial actions are:

Probable cause: The device machine is not reachable from Log360 Cloud Agent machine.

Solution: Check the network connectivity between device machine and Log360 Cloud Agent machine, by using PING command.

Probable cause: The device machine running a System Firewall and REMOTEADMIN service is disabled.

Solution: Check whether System Firewall is running in the device. If System Firewall is running, execute the following command in the command prompt window of the device machine:

netsh firewall set service type=REMOTEADMIN mode=ENABLE profile=all

3. When WBEM test is carried out. it fails and shows error message with code 80041010 in Windows Server 2003.

The probable reasons and the remedial actions are:

Probable cause: By default, WMI component is not installed in Windows 2003 Server

Solution: Win32_Product class is not installed by default on Windows Server 2003. To add the class, follow the procedure given below:

  • In Add or Remove Programs, click Add/Remove Windows Components.
  • In the Windows Components Wizard, select Management and Monitoring Tools, then click Details.
  • In the Management and Monitoring Tools dialog box, select WMI Windows Installer Provider and then click OK.
  • Click Next.

4. Port management error codes

The following are some of the common errors, its causes, and the possible solution to resolve the condition. Feel free to contact our support team for any information.

Port already used by some other application

Cause: Cannot use the specified port because it is already used by some other application.

Solution: This can be solved either by changing the port in the specified application or by using a new port.

If you use a new port, make sure to change the ports in the forwarding device either manually or using auto log forwarding configuration.

5. The event source file(s) configuration throws the "Unable to discover files" error.

Possible remedial actions include:

  • Check the credentials of the machine.
  • Check the connectivity of the device.
  • Ensure that the remote registry service is not disabled.
  • The user should have admin privileges.
  • The open keys and keys with sub-keys cannot be deleted.

6. Microsoft 365 - Audit Logging must be turned on to fetch data

To turn on Audit Logging, follow either of these two steps.

  1. Turn on audit logging through the Microsoft 365 portal.
    • Log in to the Microsoft 365 Portal and navigate to the Admin tab.
    • Go to Admin centers > Compliance. Navigate to Solutions > Audit. Alternatively, you can go directly to the Audit page by using Audit Log Search.
    • If auditing is not turned on for your organization, a banner will be displayed prompting you to start recording user and admin activity.
    • Select the Start recording user and admin activity banner. (Note: It may take up to 60 minutes for the change to take effect.)

  2. Turn on audit logging through PowerShell
    • Run the following cmdlets in PowerShell.
    • $UserCredential = Get-Credential;$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection;Import-PSSession $Session -CommandName Set-AdminAuditLogConfig
    • Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled:$True
    • Remove-PSSession $Session

7. Microsoft 365 - Invalid Application Password.

Cause: This error message is shown if the application password entered has been deleted or expired.

Solution: Create a new application password and update the same in the product's tenant settings.

8. Microsoft 365 - Missing Microsoft Entra ID application.

Cause: This error message is shown if the Microsoft Entra ID application is deleted.

Solution: Configure a new application in the Azure portal. Follow the steps listed here to configure your application, manually.

9. Microsoft 365 - Missing Microsoft Entra ID application scope or permission.

  • Update the necessary permissions in the application.
  • You can check and update permissions by navigating to Tenant Settings > Rest API Access > Update Permissions.

10. Logs for the configured FIM device are unavailable.

file-integrity-monitoring

Log Collection and Reporting

1. I've added a device, but Log360 Cloud Agent is not collecting event logs from it

Probable cause: The client machine is not reachable from the agent.

Solution: Check if the device machine responds to a ping command. If it does not, then the machine is not reachable. The device machine has to be reachable from the Log360 Cloud Agent in order to collect event logs.

Probable cause: You do not have administrative rights on the device machine

Solution: Edit the device's details, and enter the Administrator login credentials of the device machine. Click Verify Login to see if the login was successful.

Error Code 0x251C

Probable cause: The device was added when importing application logs associated with it. In this case, only the specified application logs are collected from the device, and the device type is listed as unknown.

Solution:

  1. Click on the update icon next to the device name.
  2. Select the appropriate device type.
  3. Provide any other required information for the selected device type.
  4. Click on update.

2. I get an Access Denied error for a device when I click on "Verify Login" but I have given the correct login credentials

Probable cause: There may be other reasons for the Access Denied error.

Solution: Refer the Cause and Solution for the Error Code you got during Verify login.

Error Code 00x80070005

Scanning of the Windows workstation failed due to one of the following reasons:

  1. The login name and password provided for scanning is invalid in the workstation.

    2. Solution: Check if the login name and password are entered correctly.

  2. Remote DCOM option is disabled in the remote workstation

    3. Solution: Check if Remote DCOM is enabled in the remote workstation. If not enabled, then enable the same in the following way:

    • Select Start → Run.
    • Type dcomcnfg in the text box and click OK.
    • Select the Default Properties tab.
    • Select the Enable Distributed COM in this machine checkbox.
    • Click OK.

    To enable DCOM on Windows XP devices:

    • Select Start → Run
    • Type dcomcnfg in the text box and click OK
    • Click on Component Services → Computers → My Computer
    • Right-click and select Properties
    • Select the Default Properties tab
    • Select the Enable Distributed COM in this machine checkbox
    • Click OK
    • User account is invalid in the target machine.

      • Solution: Check if the user account is valid in the target machine by opening a command prompt and executing the following commands:

      net use \<RemoteComputerName>C$ /u:<DomainNameUserName> "<password>"

      net use \<RemoteComputerName>ADMIN$ /u:<DomainNameUserName> "<password>"

      If these commands show any errors, the provided user account is not valid on the target machine.

      Error Code 0x80041003

      The user name provided for scanning does not have sufficient access privileges to perform the scanning operation. This user may not belong to the Administrator group for this device machine.

      Solution: Move the user to the Administrator Group of the workstation or scan the machine using an administrator (preferably a Domain Administrator) account.

      Error Code 0x800706ba

      A firewall is configured on the remote computer. Such exceptions mostly occur in Windows XP (SP 2), when the default Windows firewall is enabled.

      Solution:

      • Disable the default Firewall in the Windows XP machine:
        • Select Start → Run.
        • Type Firewall.cpl and click OK.
        • In the General tab, click Off.
        • Click OK.
      • If the firewall cannot be disabled, launch Remote Administration for administrators on the remote machine by executing the following command:

        • netsh firewall set service RemoteAdmin

        After scanning, you can disable Remote Administration using the following command:

        netsh firewall set service RemoteAdmin disable

      Error Code 0x80040154

      • WMI is not available in the remote windows workstation. This happens in Windows NT. Such error codes might also occur in higher versions of Windows if the WMI Components are not registered properly.

        • Solution: Install WMI core in the remote workstation.

      • Register the WMI DLL files by executing the following command in the command prompt:

        • winmgmt /RegServer.

      Error Code 0x80080005

      There is some internal execution failure in the WMI service (winmgmt.exe) running in the device machine. The last update of the WMI Repository in that workstation could have failed.

      Solution: Restart the WMI Service in the remote workstation:

      • Select Start → Run.
      • Type Services.msc and click OK.
      • In the Services window that opens, select Windows Management Instrumentation service.
      • Right-click and select Restart.

    For any other error codes, refer the MSDN knowledge base.

Error Code 1722, 1726, 1753, 1825

Probable cause: The device machine RPC (Remote Procedure Call) port is blocked by any other Firewall.

Solution: Unblock the RPC ports in the Firewall.

3. The Syslog host is not added automatically to Log360 Cloud Agent/the Syslog reception has suddenly stopped

If you are able to view the logs, it means that the packets are reaching the machine, but not to Log360 Cloud Agent. You need to check your Windows firewall or Linux IP tables.

To check if the Log360 Cloud Agent server is reachable, follow the steps given below.

  • Ping the server.
  • For TCP, you can try the command telnet <Log360 Cloud Agent_server_name> <port_no> where 514 is the default TCP port.
  • tcpdump

    • tcpdump -n dst <Log360 Cloud Agent_server_name> and dst port <port_no>

    If reachable, it means there was some issue with the configuration. If not reachable, then you are facing a network issue.

4. Agent upgrade failed. What should I do?

Causes

  • No connectivity with the agent during product upgrade.
  • Prerequisite URLs are not whitelisted. See prerequisite page.
  • Insufficient read, write, and modify permissions for files in the "C:\ProgramData" folder.
  • Insufficient access/read/write permissions for registry keys under

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ZOHO Corp\Log360Cloud or HKEY_LOCAL_MACHINE\SOFTWARE\ZOHO Corp\Log360Cloud.

  • Authentication failure due to a missing Trusted Root CA certificate.

Solutions

Manually install the agent by navigating to the Manage Agent page.

To install agent:

Windows device: Run the Log360CloudAgent.msi. For detailed steps on how to installed an agent, please click here.

5. Auto log forwarding failed. What should I do?

Auto log forwarding may fail due to any of the three reasons below.

  1. Invalid credentials - Username/password (root password) used to establish the SSH connection may be invalid.
  2. Device not found - the device which you tried to configure may not be available in the network.
  3. Failure in establishing an SSH connection - SSH may be disabled in that device the user is trying to configure.

6. Authentication failure due to missing Trusted Root CA certificate (Curl 60). How can I fix it?

  • Ensure all prerequisite URLs are whitelisted.
  • Make sure the latest OS security patch is applied on the agent machine for up-to-date trusted root certificates. (Why is this needed? - Refer Microsoft KB). Incase the latest security patch cannot be installed due to any reasons, follow the below steps to manually install the required certificates alone.
    • Step1 - In the machine where the agent is facing this issue, launch Run, type certlm.msc and hit Enter.
    • Step2 - Find Trusted Root Certification Authorities in the window that appears.
    • Step3 - Search for USERTrust RSA Certification Authority. In case the certification is present, the cause for failed authentication could be due to a different reason. Kindly contact our support team to resolve it.
    • Step4 - If the USERTrust RSA Certification Authority certificate is not found then download this certificate & import it into Trusted Root Certification Authorities store.
    • Step5 - Restart the agent to check if the connectivity issue is resolved. If not, kindly contact our support team to resolve it.
  • If above steps didn't help, reinstall the latest version of the Log360 Cloud agent.

7. What should I do if the agent status shows "Agent not communicating"?

Agent not communicating status indicates an extended period without communication between the agent and the server.

To resolve this issue, follow these steps:

  • Ensure the Log360 Cloud server is accessible from the agent device.
  • Verify if the URL's mentioned in this page are whitelisted.
  • Check if any antivirus or firewall is blocking the communication between the server and the agent. If so, provide an exclusion for the Log360 Cloud agent in the antivirus software.
  • Ensure the Log360 Cloud Agent service is running, and start it if necessary.
Note: If the issue persists, contact support for further assistance.

8. Agent sync delayed or Service status unavailable status. What should I do?

Causes

  • Network connectivity issues on the agent machine.
  • The agent service is not running.
  • Firewall or antivirus software is blocking the connection.
  • Authentication failure due to a missing Trusted Root CA certificate

© 2024 Zoho Corporation Pvt. Ltd. All rights reserved.