Troubleshooting Microsoft Azure Event Hubs protocol

To resolve issues with the Microsoft Azure Event Hubs protocol use the troubleshooting and support information. Find the errors by using the protocol testing tools in the QRadar® Log Source Management app.

General troubleshooting

The following steps apply to all user input errors. The general troubleshooting procedure contains the first steps to follow any errors with the Microsoft Azure Event Hubs protocol.

  1. If the Use Event Hub Connection String or Use Storage Account Connection String option is set to off, switch it to On. For more information about getting the connection strings, see Configuring Microsoft Azure Event Hubs to communicate with QRadar.
  2. Confirm that the Microsoft Azure event hub connection string follows the format in the following example. Ensure that the entityPath parameter value is the name of your event hub.
    Endpoint=sb://<Namespace
Name>.servicebus.windows.net/;SharedAccessKeyName=<SAS Key
Name>;SharedAccessKey=<SAS Key>;EntityPath=<Event Hub Name>

    After the log source is saved and closed, for security reasons, you can no longer see the entered values. If you don't see the values, enter them and then confirm their validity.

  3. Confirm that the Microsoft Azure storage account connection string follows the format of the following example. 
    DefaultEndpointsProtocol=https;AccountName=<Storage Account
Name>;AccountKey=<Storage Account Key>;EndpointSuffix=core.windows.net

    After the log source is saved and closed, for security reasons, you can no longer see the entered values. If you don't see the values, reenter them and then confirm their validity.

  4. Optional: For troubleshooting, set Use As a Gateway Log Source to Off and set Format Azure Linux Events to Syslog to On. This forces all events to go through the selected log source type. This can quickly determine whether minimum events are arriving and that there is no network or access issue.

    If you leave Use As a Gateway Log Source set to On, ensure that the events are not arriving in QRadar as unknown, stored, or sim-generic. If they are, it might explain why the protocol appears to be not working.

  5. Ensure that the provided consumer group exists for the selected event hub. For more information, see Configuring Microsoft Azure Event Hubs to communicate with QRadar.
  6. Enable the Automatically Acquire Server Certificate option or confirm that the certificate is manually added in QRadar.
  7. Ensure that the QRadar system time is accurate; if the system time is not in real time, you might have network issues.
  8. Ensure that the port 443 is open to the storage account host. The storage account host is usually <Storage_Account_Name>.<something>, where <something> usually refers to the endpoint suffix.
  9. Ensure that port 5671 is open on the event hub host. The event hub host is usually the <Endpoint> from the event hub connection string.

For more information, see: