Question & Answer
Question
Why are events not appearing in the Log Activity tab for a Log Source in Success status that is verified to be sending events to QRadar successfully?
Cause
As discussed in Technote 1622228: Event Processing Pipeline, events are subject to a sequence of steps before they are accessible in the QRadar User Interface (UI). Routing Rules are one of these Event Processing steps. Errors that are made in Routing Rule configurations can result in events not appearing in the UI even when the Log Source configuration is correct.
Answer
If you are not able to view events from a Log Source, the first step is to confirm that it is in success status and QRadar is receiving the events from this Log Source. Technote 1674902: QRadar: Using the command-line to troubleshoot a syslog event source discusses how such troubleshooting can be performed.
It is also possible that the errors are not appearing in the User Interface due to a misconfigured Routing Rule. Routing Rules can be viewed by going to Admin Tab > System Configuration > Routing Rule.
The events in question might be matching a routing rule by Log Source, IP address, or other custom properties. If that is occurring, they might be forwarded to other destinations or dropped. Verify the list of rules to see whether the Events in question match any of them. If you identify a Routing Rule as the cause of your issue, you can update or disable the rule as needed. QRadar Documentation discusses Configuring routing rules for bulk forwarding in detail.
Where do you find more information?
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21993442