Skip to main content

If you found out that the logs sent since last day values are all zero in Settings>Configuration>UEBA Board>Overview follow the given steps.

1) Confirm that the UEBA dockers are running properly. The following command should output a list of 3 dockers running:

 docker ps

2) Run tcpdump in the port 5532 of data server. If data are coming in, check if your firewall is blocking the connection to UEBA cluster. The IPs of UEBA cluster are provided during UEBA onboarding.

tcpdump -Aqs0 -i any port 5532

3) If there is no data in 5532, run tcpdump on the port 5530 and see if data is coming into the port. If data is flowing in, there is a possible a problem with licensing. Please check the Settings>Configuration>UEBA Board>Entity Selection and check from the search tab that the logs belonging to the selected Entities are actually present. Then, please make correct entity selection.

4) If data are not flowing into 5530, there is problem with log collection. Please contact LogPoint support.