Other exceptions

Symptoms

Error: “Ensure that there are no network related issues preventing the connection. Additionally ensure that the Event Hub and Storage Account Connection Strings are valid.”

Error: “An error occurred. For more information, see the \"Raw Error Message\". An attempt will be made to query for content at the next retry interval”

Causes

Exceptions in this category are unknown to the protocol and are unexpected. These exceptions can be difficult to troubleshoot and usually require research to resolve.

Resolving the problem

Follow these steps to resolve your error. They might resolve some of the more common issues.

  1. Ensure that the event hub connection string uses the same or a similar format as displayed in the following example:

    Endpoint=sb://<Namespace Name>.servicebus.windows.net/;SharedAccessKeyName=<SAS Key Name>;SharedAccessKey=[SAS Key];EntityPath=<Event Hub Name>

  2. When you move the event hub connection string from the Azure portal to IBM QRadar, ensure that no additional white space or invisible characters are added. Alternatively, before you copy the string, ensure that you don't copy any additional characters or white space.
  3. Ensure that the storage account connection string is valid and displays in a similar format to the following example:

    DefaultEndpointsProtocol=https;AccountName=<Storage Account Name>;AccountKey=<Storage Account Key>;EndpointSuffix=core.windows.net

  4. Ensure that QRadar can communicate with the storage account host on port 443, and with the event hub on port 5671 and 5672.
  5. Verify that a certificate is downloaded manually or by using the Automatically Acquire Server Certificate(s) option. The certificates are downloaded from <Storage Account Name>.blob.core.windows.net.
  6. Verify that the system time in QRadar matches the current time. Security settings on the storage account prevent mismatched times between the server (storage account) and the client (QRadar).