Views:

Symptoms

  • Third-party logs are missing from the XDR Data Explorer.
  • The Log Repository or Collector status is marked as "Unhealthy."
  • Ingestion metrics in the Data Monitoring dashboard show zero activity.

Common Error Messages

  • "Unusual data source and log collection status" notification.
  • Connection refused/timeout during telnet or netcat tests.
  • Invalid syslog format errors in local service gateway text logs.

The most effective way to ensure log ingestion is to align the Log Source's transmission protocol (TCP/TLS) and port with the specific Collector settings in TrendAI Vision One.

What is the Root Cause of Log Collection Failures?

Log ingestion typically fails due to network communication blocks or configuration mismatches between the log-sending device and the Service Gateway. Common causes include:

  • Protocol Mismatch: The source is sending UDP while the Collector is set to TCP.
  • Firewall Blocks: Network traffic is blocked on ports 6514 through 6533.
  • Certificate Issues: The Service Gateway is using a non-trusted certificate for TLS connections.

How to Verify End-to-End Functionality?

Confirming functionality requires a systematic check from the log source to the cloud repository:

  1. Check the Log Source: Verify that the third-party device is successfully sending logs without local errors.
  2. Verify Service Gateway Health: Navigate to Service Gateway Management and ensure the "Third-Party Log Collection Service" is Healthy.
  3. Monitor Ingestion Volume: Check Data Source and Log Management > Data Monitoring for an uptick in the Data Ingestion widget.
  4. Run a Test Query: Go to XDR Data Explorer > Third-Party Logs and search for your source IP (e.g., src: 192.168.1.1).

How to Fix Common Connection Issues: A Step-by-Step Guide

Follow these steps if logs are not appearing as expected in TrendAI Vision One:

  1. Perform a Connectivity Test: Run a ping, telnet, or netcat test from the Log Source to the Service Gateway IP using the assigned port (6514-6533).
  2. Validate Sender IP: Ensure the "Data Source IP Address" in the Collector settings matches the egress IP (or NAT IP) of the log source.
  3. Reset the Service: If the service status is unhealthy, go to Service Gateway Management > [Your Gateway] > Installed Services, then disable and re-enable the Third-Party Log Collection Service.
  4. Check Syslog Format: Ensure the source is sending in CEF or Syslog format; logs with incorrect formatting are automatically dropped.

FAQs

Can I block MD5 hashes in TrendAI Vision One?

No, the system requires SHA-1 or SHA-256 hashes for blocking actions as MD5 is no longer supported for these specific security functions.

Which third-party products are supported?

Any device supporting TCP/TLS and CEF/Syslog formats can connect. Dedicated collectors are also available for AWS, Azure, Microsoft Entra ID, and Microsoft Defender for Endpoint.

How often do ingestion metrics update?

The metrics in the main dashboard update once per day, while Service Gateway specific metrics update every 60 to 90 seconds.

What happens if the Service Gateway goes offline?

If the gateway is offline, incoming logs are dropped and cannot be recovered unless the log source has its own local caching/retry mechanism.

Can I be alerted if log ingestion stops?

Yes. Enable the “Unusual data source and log collection status” notification in your account settings to receive alerts for ingestion failures.

Reference Links

Keywords: how to fix TrendAI Vision One log collection,troubleshoot agentic SIEM third-party logs,TrendAI Vision One syslog configuration guide,why are third-party logs not showing in TrendAI Vision One,configure service gateway for third-party logs