• Get a Support Snapshot to observe var/log/messages, and to look at the configuration of ActionServer, look at the rules. 
• It is helpful to have a webex with the customer to get the history of why this worked and now does not.  Any recent changes?
• In the FUI (Forensics UI) make sure that Alerts are working, identify the Rules that should trigger and have the Customer show you these rules in the Admin console. 

Here are some good diagnostics --

If alerts are not working then you need to troubleshoot the alerts. (Doing so is not within the scope of this article.

If alerts are working, follow these steps below.

1.  Configure Action Server in DEBUG Mode

2.  Start Action Server on the console with ActionServer service stopped in Scout. 

Example -- 

/var/opt/silvertail/bin/actionserver.py -f /var/opt/silvertail/etc/universal.conf 
/var/opt/silvetail/data/alerts/dummy.alerts 

3. Look through var/log/messages for ActionServer and UIServer messages.

4. Make sure email is working.   Although this is a basic OS level functionality, it is crucial that email can be sent from the WTD server to the intended mailbox.   

a. Determine the method of email used in the system -- This is usually PostFix or Sendmail.  Examples will be shown for these two applications.
b. Telnet to the mail host on port 25 (make sure port 25 is enabled in the Customer environment.)
c. Send an email from the console

• PostFix(with SendMail) $   echo "this is the body of the email" | mail -s "this is the subject line"  user@example.com
• SendMail                   $

• Find out what was the previous configuration, mailhosts, smtp relays etc. to get the mail routed from the WTD server. 
• On the affected system make sure that IP Tables are not on and or blocking mail, and make sure SELinux is set to Permissive