Question:

My ILA/Log receiver is not receiving any logs from my Firewalls and i cannot do any log data queries, how can I troubleshoot?

Answer:

There are several steps to follow in order to get the log receiver to be able to receive logs from an Firewall. So it may be multiple problems that are occurring that is hindering the logs from properly being received by the log receiver.

Below is a check-list you can use to try locate the problem:

1. Make sure that your Firewalls are added to the ILA configuration as a registered Firewall.
2. Make sure that the required .NET version is installed (currently at the time of the article it is version 4.7.2).
   1. This should be done automatically since version 2.30.xx when running the InControl program installer.
3. Make sure that the Log Receiver service / ILA is running on the Log Receiver Machine.
4. Make sure that the Log Receiver service / ILA is having sufficient write access rights in the target log storage area.
5. Make sure that the require ports are open on the Log Receiver Machine’s Firewall (e.g the Windows Firewall).
   1. The ports that need to be opened are:
      1. Port 999 UDP – This is used by the Firewall to send logs to the Log Receiver.
      2. Port 5555 TCP – These are used by the InControl Server to communicate to the Log Reciever / ILA. Making configuration changes, doing log data cube inquires etc.
   2. Make sure that there is nothing between the Firewall and the Log Receiver Machine that blocks the incoming UDP log packets from the Firewall. These traverse UDP port 999 as specified in previous steps.
   3. Sending logs directly over the internet is not advisable as UDP packets does not have any verification that the packet actually arrives. So there is no verification that the log database contains all the logs. If you do want to send it over the internet as the Firewall and Log Receiver are located at different geographical locations, it is recommended to encapsulate the logs in e.g. and IPsec tunnel.
6. Make sure that the Firewall is configured correctly and that log connections are being created towards the Log Receiver Machine. You can check this using the "connections -show -destip=<LogReciverIP> -protocol=udp"
7. If the Firewall sending the logs is being NAT'ed by something, the ILA will reject the packets as they are arriving from a source IP address not specified in the log data (Internal note : ICC-5130). If you want to use NAT to send the firewall logs to InControl you have to use Reverse Netcon/Device Initiated netcon in order for it to work.
8. Additional information about what the Log Receiver / ILA is doing can be provided by:
   1. Stopping the Log Receiver / ILA service first.
   2. Start the Log Receiver or ILA using the following syntax example "ILA.exe /debug".
      
      1. Optionally: In case you need Clavister support help, piping the output to a file then send it to Clavister support can be useful. "ILA.exe /debug >log.txt".
   3. Default path for ILA program related logs can be found at : "C:\ProgramData\Clavister\InControl\LoggingAgent\Data\Default\Logs\LoggingAgent"
   4. Default path for the log receiver program logs can be found at : "C:\ProgramData\Clavister\InControl\LoggingAgent\Data\Default\Logs\LogReceiver"
   5. In any of the instances where you suspect that a port is blocked, you can always use PCAP/Wireshark to perform some packet captures on e.g. the Log Receiver Machine to see if packets are arriving from the expected source IP(s).

Related articles