Troubleshooting Apache Kafka

This reference provides troubleshooting options for configuring Apache Kafka to enable Client Authentication.

Apache Kafka

Table 1. Troubleshooting for Apache Kafka Client Authentication
Issue Solution
The Use As A Gateway Log Source option is selected in the log source configuration, but log sources are not being automatically detected. Events being streamed from Kafka must contain a valid Syslog RFC3164 or RFC5424 compliant header, so QRadar can correctly determine the log source identifier of each event.
No events are being received and the following error is displayed in the log source configuration form: “Encountered an error while attempting to fetch topic metadata... Please verify the configuration information."

Verify that the bootstrap server and port details that are entered into the configuration are valid.

If Client Authentication is enabled, verify the following things:
  • The passwords that are entered are correct.
  • The client truststore and keystore files are present in /opt/qradar/conf/trusted_certificates/kafka/ folder and the file names specified match.
  • The server certificates (<filename>.der) are present in /opt/qradar/conf/trusted_certificates/ folder.
No events are being received and the following error is displayed in the log source configuration form: “The user specified list of topics did not contain any topics that exists in the Kafka cluster. Please verify the topic list." When you use the List Topics options to subscribe to topics, QRadar attempts to verify the topics available in the Kafka cluster to the specified topics when the log source is initially started. If no topics match between what was entered in the configuration and what is available on the cluster, you are presented with this message. Verify the topic names that are entered in the configuration; also, consider the use of the Regex Pattern Matching option for subscribing to topics.
When any parameter value in the property file on the Kafka server is changed, expected results are not received. Disable, then re-enable the Kafka log source.