How do I troubleshoot agent-collector connectivity issues?

Article ID: 307
Category: Collector Service
Applies to: 3.2 and newer
Updated: 2022-01-21

If you go into the Windows event viewer on your EventSentry server, select the Application log, and look for event 117, 118, 119, 122, or 123 from EventSentry Collector as the source. If these events exist, here are the steps you can take to resolve these error events and allow the agent(s) to connect:

Event 117 - This error is generated because the DNS lookup for the remote agent's host name either failed or returned a different IP address than the agent is currently connected with. Update the DNS records for this agent or change your collector security level from High to Medium.

Event 118 - This error is generated because the remote agent's host name in its operating system does not match any hosts listed in EventSentry. If you have any IP addresses specified for your hosts in EventSentry, neither the host names nor the host IP addresses in EventSentry match the host name and IP address currently being used by the remote agent. Add/Update the host name or IP address in EventSentry or change the collector security level to Basic.

Event 119 - Try doing Restart Agent for the affected machine, or if remote management commands are not available restart the "EventSentry" service while logged onto the affected machine. Sometimes this event is generated along side event 122 where the root problem is that two separate machines have the same UUID value but different shared secrets, resolve event 122 first if that is the case since it almost always resolves event 119 at the same time. If event 122 is not generated, and after doing Restart Agent event 119 still returns, you can click Reset Shared Secrets in the collector security settings and then try Restart Agent again for the affected machine to clear the error.

Event 122 - This error is generated when more than one machine has the same UUID. UUID values are unique, so having them shared across multiple machines is usually caused by cloning, imaging, or deployment templates. To resolve the duplicate UUID value, please try: https://www.eventsentry.com/kb/367 and make sure to restart the "EventSentry" service on the affected machine afterwards.

Event 123 - This error is generated because the collector security settings have the Authorized Networks list configured, or have the Blocked Networks list configured and an IP is either blocked or is not authorized. If the Authorized Networks list is configured, please add the IP range of the affected machine(s) to the Authorized Networks list. If the Blocked Networks list is configured, remove the entry for the affected machine IP, or adjust the IP range of the blocked networks list to not cover the IP of the affected machine(s). Save your changes and restart the EventSentry Collector service for the change to take effect.

If you change the collector security settings in any of these steps, you would need to save the new settings and then click Restart in the collector settings to apply the change.

It is possible that you will not find any of these events on the EventSentry server because the remote agent cannot find the collector to attempt a connection. In that case go into the Windows event viewer on your remote agent server, select the Application log, and look for event 905 from EventSentry as the source. The text of this event will have details of which collector name or IP the agent is attempting to connect to, as well as the port number that the collector connection would use. Please ensure that the agent can resolve the collector name if an IP is not being used for the collector, and please ensure that the agent can access the specified port number for the collector's IP address.