Troubleshooting

Steps for troubleshooting when logs are not getting updated in Forcepoint ONE SSE via rsyslog.

1. Is rsyslog running?
   Check the service status.
2. Data is streaming into rsyslog or the source file has log lines. If the log file has logs in it, is the file accessible to rsyslog?
   Check the status of open sockets or use a tool such as tcpdump to check for incoming traffic on UDP port 514.
3. Is traffic being sent out of the server?
   Check the status of open sockets or use tcpdump to see if a connection is open to syslog.bitglass.com. If not, check firewall settings on the server as well as network equipment.
4. Is the SSL Client authentication working?
   Use tcpdump and watch the SSL handshake to ensure the client sends an SSL certificate to the Forcepoint ONE SSE server.
5. Is the Token ID correct?
   If the SSL connection is established correctly with client authentication, then closes, then a new connection is created concurrently - The token is likely at fault. Additionally, check to ensure the format is RFC23 compliant the (o) is specified for plain TCP framing.
6. If all of the above looks ok, contact Forcepoint Support.
7. If rsyslog is running and logs are coming in/populating in the working directory but NOT being sent to Forcepoint ONE SSE.
   It is likely that the rsyslog-GSSAPI and rsyslog-GNUTLS are not installed. In this condition, rsyslog appears to silently fail. Install both modules and restart the server to verify if the issue was due to missing modules. Yes, a restart is required.