In order for live syslog data to be imported, ensure:
- Barracuda Web Filter is active:
Clients on your network are actively browsing the web and being filtered by Barracuda Web Filter.
- Syslog Server is the Fastvue IP:
You have specified the Fastvue Reporter server as a syslog server in Advanced | Syslog | Web Traffic Syslog (Double check the IP address used). Run an 'ipconfig' command on the Fastvue Server to check the IP.
- Make sure the log format is NOT W3C
On your Barracuda Web Filter, go to Advanced | Syslog | Web Filter Syslog and make sure the 'Use W3C format' option is set to No (we don't support the W3C format, yet).
- Verify Logging
In Advanced | Syslog | Web Filter Syslog, click Monitor Syslog to make sure your Barracuda Web Filter is actively logging traffic.
- Fastvue Source Settings are correct:
You have added the Barracuda Web Filter as a Source in Fastvue Reporter (Settings | Sources) using the correct name or IP address. Ensure the IP address is the interface that the Fastvue Server is actually connected to (e.g. If the Fastvue server is in your internal network, specify the Web Filter's internal interface).
- No routing issues between Barracuda Web Filter and the Fastvue server:
The Fastvue Server and the Barracuda Web Filter source are in the same subnet, or there is a router between the subnets configured to allow syslog traffic through. If there is a router between the two servers, careful attention needs to be paid to how that router handles the traffic, whether there's a NAT involved, whether that router is the default gateway for both machines etc.
- Syslog port is correct:
The syslog port specified in Settings | Sources is 514
- No firewall issues:
There is nothing blocking port 514 on the Fastvue Reporter machine, or in between the Fastvue Reporter machine and the Barracuda Web Filter. See our article on Opening the Syslog Port in Windows Firewall for more information.
- No port conflict:
There is no port conflict on port 514 with another application or service on the Fastvue Reporter machine (see below).
- Restart the Syslog service on the Barracuda device.
We have seen an occasion where everything was setup correctly, but the Fastvue machine was still not receiving syslog data (verified with WireShark). This issue was resolved by restarting the syslog service on the Barracuda Web Filter. We recommend contacting Barracuda Support for steps on how to do this.
Troubleshooting Port Conflicts
To find out whether there is a port conflict on the Fastvue Reporter machine for port 514, open a command prompt and enter:
netstat -ano | find "514"This will list all the processes on the machine using port 514 (it may also include other processes that have a substring of 514). Note the Process ID, and then open Task Manager and go to the Services tab. You should be able to identify the other process by looking for the matching Process ID (PID).
Unfortunately Barracuda Web Filter does not allow the syslog port to be changed. If there is another process listening on Port 514, the only solution is to stop that other process (may require an uninstall of the syslog application), or install Fastvue Reporter on another machine where a conflict will not occur.
Further TroubleshootingIf all of the above checks out, you can enable full diagnostic logging to log all syslog messages received (regardless of whether they are processed by Fastvue Reporter) to the 'Dashboard.log' file (location shown in Settings | Diagnostic).
- Go to Settings | Diagnostic and increase the logging level to Full.
- Let the software run for five minutes, and then zip and upload the Dashboard.log file to http://www.fastvue.co/upload. The log should contain some diagnostic information to help us troubleshoot this for you.
- As this logging level will grow the Dashboard.log significantly over time, set the logging level back to Normal.