We already discussed about how configure log sources, and how configure QRadar to receive the logs. Let’s say that everything is ready, you are in front of the customer, and the logs doesn’t show up, do you know how to troubleshoot it? Here is some quick troubleshooting tips, that can help you in those situations:
- Verify the connectivity between the log source and the QRadar collector:
- You can simply ping from the log source to the collector;
- By default, the IP-Tables from QRadar drop pings, so you will need to stop the iptables process in the QRadar collector. You can do it opening the terminal (or ssh) in the QRadar and using the following command:
services iptables stop ;
- If you cannot even ping the QRadar server from your log source, the issue is the network;
- Don’t forget to restart the IPtables after testing, just use the following command:
services iptables start ;
- Verify the firewalls between the log source and the QRadar:
- The firewalls should allow the ports used to collect. For example, for collecting syslog, the firewalls should allow the port 514/UDP;
- If you have no access to the firewall, a simple way to test the firewall is using the telnet command from the logsource to the QRadar: telnet [IP] [PORT]
Example: telnet 10.1.1.1 514
- If the telnet doesn’t work, some firewall is dropping the packets on the specified port, you should ask for a firewall rule allowing the traffic;
- Verify the flows coming in the QRadar collector:
- You can use the command tcpdump in the QRadar to verify if the packets are being received in the QRadar;
- Syntax: tcpdump -i [INTERFACE] src host [IP-LOGSOURCE] port [PORT]
- Example: tcpdump -i eth0 src host 10.2.2.2 port 514
- If nothing shows up, there is some network issue dropping the packets or the log source is not properly configured;
- Verify the QRadar Logs:
- The QRadar logs are stored in the following folder: /var/log/
- The main log is named qradar.log
- You can simple access and monitor the log using the following command: tail –f /var/log/qradar.log
- You can verify the current EPS using the following command:
tail –f /var/log/qradar.log | grep ‘Events per Second’
I hope this post help you guys to troubleshoot collecting problems on QRadar. If you have any question or suggestion, please leave us a comment!
Finding the official documentation sometimes is a painful task. In this post you can find the IBM official product documentation for all the recent QRadar versions.
Current IBM QRadar 7.2.1 Documentation:
IBM QRadar 7.2.1 SIEM: All the documents related with the SIEM solution, including administration guide, user guide, etc.
IBM QRadar 7.2.1 Vulnerability Manager: All the documentation related with the new Vulnerability Manager feature.
IBM QRadar 7.2.1 Risk Manager: Documentation regarding with the Risk Manager feature, part of the QRadar framework.
IBM QRadar 7.1 MR2 SIEM: All the documents related with the SIEM solution version 7.1.
IBM QRadar 7.0 SIEM: All the documents related with the SIEM solution version 7.1.
For more QRadar documentation, please visit the IBM QRadar Documentation Centre.
Found some broken link? Couldn’t find the documentation that you are looking for? Contact us!