Hi, I was running Sentinel 7.1.0 with only one event source (a sentinel
link, one of production sentinel server forwards all its events to my
sentinel.) This setup worked all the way till few days back when I
upgraded 7.1.0 to Sentinel 7.3.

I had gone through release notes of 7.3 and also specifically read
section for upgrading to 7.3.

Upgrade process in itself went smooth with out any issues or errors.
After "install-sentinel" script gave a message "Complete", I checked
events on WebUI and found things in order.

Then, I restarted Sentinel services as a standard process before handing
it over to production. I believe this restart caused the issue I am
writing about.

I no more see events forwarded to me over the sentinel link. I navigated
to ESM (event source management) and saw that collector has green
triangle on it, which means its running, then I checked four event
sources which have a red cross on the right top corner and a green
triangle on right bottom of the icon.

Connection info column says "Registered to server Sentinel Link ALL
:1290 for events". No TZ set. Pending messages: 0
Error column says: "Lost connection from client machine"

Now, I have tested connectivity to all four event source servers
configured within my link collector and I find it good. Ping was 100%

I also got the sentinel link rebuilt at forwarding server, but still did
not see any events. I checked "Raw Data Tap" and I do not see any
events there too. I see a black square on left bottom of raw data tap.

at this stage I do not find any way to proceed further but to revert
back to older version. Any help, sequence of trouble shooting would

I've gone through post "Not getting logs/events into Sentinel" created
by moldin and although the problem is similar to start but his
infrastructure is diff, he has eDir. I have just one sentinel link.

nvishwa's Profile: https://forums.netiq.com/member.php?userid=6402
View this thread: https://forums.netiq.com/showthread.php?t=53378