(1) From the customer’s reply, the route between USG5520S and elog is OK, and the USG5520S was added to elog successfully.
Since interface traffic analysis is based on syslog, check the log collection mode, the connection mode has included syslog, and the port is 514, which is same as that in firewall.
(2) Check the time and time zone, we found that they are same between USG5520S and elog Server.
(3) Check if there was interface traffic in USG5500, and the answer is YES.
(4) Check if elog received the traffic syslogs. We can see in the menu ”Analysis->Network Security Analysis ->Event Monitor” that elog can receive traffic log from USG5520S. After we confirmed from R&D that the format of the traffic logs is correct.
(5) Checked the filtering rules, and found that the customer configured to filter traffic logs by mistake in filtering rules.
(6) After cleared the filtering rules, logs and report of traffic can be queried by eLog.
Then the customer could see the result in menu ”Analysis->Traffic Analysis ->Interface Traffic” .