Log in to the Console and navigate to Settings > System Configuration > Events.
Verify configuration settings are accurate for the external application.
Check with the Network Team to be sure TCP traffic on the specified port is allowed from the App Control Server to the SIEM.
Verify the external application is configured to accept/ingest all events from the App Control Server.
Some applications only ingest events from a pre-defined list of machines.
Some applications can filter out events before displaying/fully processing them.
Run SQL Server Management Studio as the Carbon Black Service Account.
Connect to the App Control database and execute the following query:
USE das; SELECT 'Total Events in DB' [Database Info], CAST(FORMAT(COUNT(*), 'N0') AS NVARCHAR) [Value] FROM dbo.events (NOLOCK) UNION SELECT 'Oldest Event in DB' [Database Info], CAST(MIN(date_created) AS NVARCHAR) [Value] FROM dbo.events (NOLOCK) UNION SELECT 'Newest Event in DB' [Database Info], CAST(MAX(date_created) AS NVARCHAR) [Value] FROM dbo.events (NOLOCK) UNION SELECT 'Last Event ID in DB' [Database Info], CAST(FORMAT(MAX(event_id), 'N0') AS NVARCHAR) [Value] FROM dbo.events (NOLOCK);
SELECT 'Last Event ID to Syslog' [Syslog Info], CAST(FORMAT(MAX(task_param), 'N0') AS NVARCHAR) [Value] FROM dbo.scheduled_tasks (NOLOCK) WHERE task = 'SyslogGetEvents' UNION
SELECT 'Last Event ID Timestamp' [Syslog Info], CAST(date_created AS NVARCHAR) [Value] FROM dbo.events (NOLOCK) WHERE event_id = (SELECT task_param from dbo.scheduled_tasks (NOLOCK) WHERE task = 'SyslogGetEvents');