This article covers the most common issues encountered with EventLogCentral and EventLogAgent and how to resolve them. Work through the relevant section below based on the type of issue you are experiencing.
Login issues:
| Problem | Resolution |
| Cannot log in with credentials | Verify username and password โ passwords are case-sensitive. Check if the account is locked and wait 15 minutes if so. Ensure you are using the correct URL (HTTP vs HTTPS). Clear browser cookies and try again. |
| Account locked | After 5 failed login attempts accounts are locked for 15 minutes. Wait 15 minutes or contact an administrator to unlock the account. |
| Session expires too quickly | Sessions expire after 60 minutes of inactivity. Keep the browser tab active. Contact your administrator to adjust the session timeout if needed. |
| Login page not accessible | Confirm the LT Auditor MP Event Log Server Service is running on the EventLogCentral server. Confirm no firewall is blocking port 52966. |
Client issues:
Client not appearing in the client list:
- Verify the EventLogAgent service is installed and running on the client machine:
sc query LTA_EventLogAgent
- Confirm the appsettings.json on the agent machine points to the correct EventLogCentral server address and port
- Check for network connectivity issues between the client and the EventLogCentral server
- If using self-signed certificates, confirm the ltaeventlog.cer file has been installed on the client machine via Install-Rootcert.ps1
- Review the agent logs for errors:
C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent\logs
Client showing as Offline:
- Confirm the EventLogAgent service is running on the client:
sc query LTA_EventLogAgent
- Verify the agent configuration points to the correct EventLogCentral server address
- Check for network connectivity or firewall issues between the agent and the server on port 52966
- Review agent logs for connectivity or authentication errors
Configuration issues:
Configuration changes not applying to clients:
- Wait for the next heartbeat cycle โ agents retrieve configuration updates every 5 minutes by default
- Check the client’s Last Heartbeat timestamp in the Clients page to confirm the agent is checking in
- Use Force Configuration Sync from the client actions menu to trigger an immediate update
- Restart the EventLogAgent service on the client if Force Configuration Sync does not resolve the issue:
Restart-Service LTA_EventLogAgent
- Verify the client is assigned to the correct group
Events not being forwarded:
- Verify the syslog target is configured correctly in the Targets section
- Confirm a sender is assigned to the client’s group in the Sender configuration
- Test network connectivity to the syslog target using Test Connection in the Targets page
- Check if Windows auditing is enabled on the client for the relevant event categories โ EventLogAgent can only collect events that Windows is generating
- Review the Event Log configuration for the group โ confirm the relevant log channels and Event IDs are enabled
- Review audit policies for the group โ confirm no DENY policy is suppressing the expected events
- Review agent logs for forwarding errors:
C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent\logs
File audit not working:
- Confirm Windows Object Access auditing is enabled on the client machine via Group Policy:
Computer Configuration โ Policies โ Windows Settings โ
Security Settings โ Advanced Audit Policy Configuration โ
Object Access โ Audit File System
- Confirm the monitored path exists and is accessible on the client machine
- Confirm the EventLogAgent service account has appropriate permissions to the monitored path
- Verify include and exclude patterns in the file audit rule are not filtering out the expected files
- Confirm no audit policy DENY rule is suppressing Windows Security Event IDs 4656 or 4670
Performance issues:
Too many events being forwarded:
- Add Exclude Event IDs to the group’s Event Log configuration for high-volume, low-value events
- Create DENY audit policies to suppress routine events such as service account logons
- Refine file audit rules โ add Exclude Patterns to filter out temporary files and use Include Patterns to limit monitoring to relevant file types
- Review which log channels are enabled for the group and disable any that are not required
Web interface slow to load:
- Reduce the page size in the client list โ use 10 or 25 items per page rather than 100
- Use the search bar to filter results rather than loading the full client list
- Check server resource utilization on the EventLogCentral server
- Review the EventLogCentral server logs for database performance issues:
C:\Program Files\Blue Lance 2-0\LTA_EventLogCentral\logs
Common error messages:
| Error Message | Cause | Resolution |
| Invalid username or password | Incorrect credentials or Caps Lock active | Verify credentials and check Caps Lock |
| Access Denied | User role does not have permission for the action | Contact an administrator to adjust role permissions |
| Configuration sync failed | Network connectivity issue between agent and server | Check connectivity and review server logs |
| Target unreachable | Syslog server offline or firewall blocking the port | Verify server address, port, and firewall rules |
| Certificate error | TLS certificate not trusted by the agent | Confirm ltaeventlog.cer is installed on the agent machine |
| Service failed to start | Configuration error or port conflict | Review EventLogCentral server logs for startup errors |
Log file locations:
| Component | Log Location |
| EventLogCentral Server | C:\Program Files\Blue Lance 2-0\LTA_EventLogCentral\logs |
| EventLogAgent Client | C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent\logs |
When contacting support or escalating an issue, include relevant excerpts from both log locations along with a description of the problem and steps already taken to resolve it.
Contacting support:
If the troubleshooting steps above do not resolve the issue, contact Blue Lance support at: support@bluelance.com
When contacting support, provide:
- A detailed description of the problem
- Steps taken to reproduce the issue
- Exact error messages
- Relevant log file excerpts
- System information including OS version and EventLogCentral version