Varonis Connection lost to a server

If Varonis DatAdvantage is no longer collecting events from a server, the Varonis probe will send out error messages on a regular basis that look something like this:

Subject: [VARONISPROBE] Varonis: Connection lost between SERVER (48) and XXXXXXXXX (IDU Probe) (code 13002)

They generally are caused in one of several ways:

1) The server no longer exists. (Then you should disable it in or remove it from Varonis)
2) Someone has upgraded or rebuilt the server and therefore the agent no longer exists on the box. (Then you should manually install the agent)
3) Someone has disabled or removed the Varonis services (After uncovering the reason for the change you can manually reinstall the agent)
4) There are connectivity problems getting to the server. (This needs to get fixed outside of the Varonis infrastructure.

If you have administrative credentials to the monitored server, it is helpful to run Computer Management from the probe and connect to the monitored server from the probe.  The results of using the Computer Management tool from the probe may provide additional clues to the problem.  Looking through the Varonis Event logs on the monitored server via the Event viewer on the Probe can also be helpful.

DatAlert Alert Template for Syslog

Within Varonis DatAlert, the default Alert Template for syslog messages contains line feeds and carriage returns.  Most syslog parsers have a much easier time dealing with single line messages.  If you are going to send Varonis alerts to syslog you should create a template specifically for that.  Here is a sample that I work with.