Troubleshoot Reporting Components Checklist

The checklists in this section can help you troubleshoot issues with the reporting components.

To check for issues with endpoint, confirm the following:

eventlog service running
eventfwd service running
reapsysl service running
eventfwd service properly configured
Collector name resolvable and address reachable
Collector principal properly set
/etc/syslog.conf properly configured
Events present in local event log (test with eventlog-cli)
eventfwd service seems to forward messages properly (run from command line to test)
Firewall not blocking RPC access of collector server

To check for issues with the collection servers, confirm the following:

BTCollector service running
BTEventDBReaper service running
Events present in local collector database (test with BTCollector-cli)
BTEventDBReaper properly configured (test with BTEventDBReaper /s)
Database provider and connection string properly set
Collector ACL allows endpoints to write to it (set with Event Management Console)
Collector machine account has sufficient privileges to write to database (member of ADB_Collectors)
No unusual errors in Windows event log (run eventvwr.exe)
Firewall not blocking incoming RPC connections or outgoing database connections

To check for issues with the database, confirm the following:

Can connect to the database with SQL Server Management Studio
Events table contains events
EventsWithOUName view contains events
Database security set to allow writing by collection servers, by ADB_LDBUpdate and by ADB_DB_Administrators
ldbupdate utility recently run to account for new endpoints joined to AD
Firewall not blocking incoming database connection

To check for issues with the Windows reporting components, confirm the following: