Hi all and thank you in advance for the time spent reading this ,

The situation is as follows:
- 2 separate networks, completely independent, different ranges (one in
10.x.x.x, the other in 192.168.x.x), different domains, etc. Sentinel is
actually the only machine with interfaces to both networks. The
monitored assets in both networks are Microsoft servers.

- The 10.x.x.x network was attached first, ~20 servers, no problem
there. One of the servers there runs Sentinel WECS service and is
pulling the events from all others.

- I want to add 192.168.x.x network to the collection. The situation
should be the same. I installed Sentinel WECS service with a user with
appropriete permissions on one of the servers with address and configured it to sent the events to port 8270
(opened on the Sentinel firewall and all). However, I can't see events
coming in from that server. The test connection says it's successfull,
the status of the event source is Running/Retrieving, but I don't have
events actually coming. And it should, the Security Log is constantly
generating new events.

- In the web interface, when I search, I get only that event from
kernel: SFW2-INext-ACC-TCP(Operating System:Novell SUSE Linux Enterprise
[505053.198675] SFW2-INext-ACC-TCP IN=eth1 OUT=
MAC=00:15:5d:99:cc:0d:3c:4a:92:79:47:c0:08:00 SRC=
DST= LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=27749 DF

- One more thing, both connectors to the 10.x.x.x network and
192.168.x.x network are going to one collector. Since it is the
collector for Microsoft assets and I want to monitor just that, I
suppose it is ok?

You can see on the screens below that the connector is up, the event
source is running and it says there is something coming. However, both
Active View and Raw Data Tap stay emtpy. Any suggestions?
[image: https://cdn.pbrd.co/images/jDwqyKJCW.png]
[image: https://cdn.pbrd.co/images/jDtsCIUxH.png]

Malleus's Profile: https://forums.netiq.com/member.php?userid=12778
View this thread: https://forums.netiq.com/showthread.php?t=56766