I can see Syslog and/or SNMP packets sent to my machine with a packet sniffer, but EventSentry is not logging the packets to the event log or database

Article ID: 261
Category: Network Services
Applies to: All Versions
Updated: 2014-10-29

A packet sniffer like Microsoft Network Monitor, IPMon+ or Wireshark see network packets before they are analyzed by Windows and the Windows Firewall. As such it's possible that packets are blocked by the Windows Firewall even when they show up in a packet sniffer.

In most cases, adding exceptions to the Windows Firewall will cause the incoming Syslog and/or SNMP traps to show up correctly in EventSentry.

When troubleshooting Syslog/SNMP issues, follow these steps:

  1. Windows Firewall Syslog: Make sure that incoming UDP/TCP traffic to port 514 is allowed
  2. Windows Firewall SNMP: Make sure that incoming UDP traffic to port 162 is allowed
  3. Make sure the EventSentry Network Services service is installed and running
  4. Make sure that the Syslog/SNMP feature is configured to either log to the database or event log
  5. Make sure that the sending IP range is authorized
  6. Using a packet sniffer, ensure that the Syslog/SNMP packets are being received on the host where EventSentry is installed

If incoming packets are still not processed and/or logged, click on "Network Services" in the management console and set the "Debug Level" to "Trace", save the configuration and restart the service. After Syslog/SNMP packets have been sent by one or more devices, contact EventSentry support.