Before reaching out to Chronicle support, there are a few pre-checks that can be done to make sure the data source was properly added to the forwarder:
- Make sure the data label added for the new data source is properly spelled. If it's not properly spelled, you will see an error similar to the one below:
batcher.go:345] [2_syslog_CISCO_FIREWALL-tid-0] Error exporting batch: rpc error: code = InvalidArgument desc = Request contains an invalid argument.- The error message above means that the data label is not correct. Data label added to configuration file in this case was CISCO_FIREWALL, but the correct data label is CISCO_ASA_FIREWALL. If that is the case, please update the configuration file accordingly. ]
- You can obtain a list of the data labels by making the following API call.
APIKEY="[[My_ApiKey]]"; curl --header "Content-Type: application/json" \\
--request GET "https://malachiteingestion-pa.googleapis.com/v1/logtypes?key=${APIKEY}"
- If data label is properly spelled, then make sure the forwarder was restarted after updating the configuration file. Every time the configuration file is updated, the forwarder needs to be restarted to pick up the new configuration.
- If the correct data label was added and forwarder was restarted, but still do not see the logs on the Chronicle UI, make sure the logs are arriving on the forwarder. Use tcpdump to make sure logs are coming through. Also, check the that the source is sending data.
- Make sure there is no firewall blocking the connection between the log source and the forwarder.
- Check that there is no significant clock skew as well.
If you have done the above steps and still do not see logs on the Chronicle UI, open a support case and we'll be more than happy to assist you. When you open the case, make sure to include the following information:
- Recent forwarder logs.
- Most updated version of configuration file.
- Highlight any message errors you have seen.
- Any packet captures you have taken.