Troubleshooting IBM QRadar integration

Troubleshooting IBM QRadar integration.

Troubleshooting IBM Cloud Private to resolve the issue

1. Ensure that audit logging is enabled.
   Audit logging is disabled by default. If you need to generate audit logs for a service, you must enable it for that service. For more information, see Audit logging in IBM Cloud Private.

2. Restart the pods for the service for which you enabled audit logging.
   After you set AUDIT flag: true in the ConfigMap of the service, check whether the related service pods are restarted. For more information, see Audit logging in IBM Cloud Private.

3. Check whether the audit logs are being sent to systemd journal.

   1. Install kubectl. For more information, see Installing the Kubernetes CLI (kubectl).
   2. Find the IP address of the service pod on which audit log is enabled.

      kubectl -n kube-system get pods -o wide | grep <service name or pod name of the service>
      

   3. Use Secure Shell (SSH) to connect to that node and check whether audit logs are reaching journald.

      journalctl -t 'icp-audit'
      

   4. If you do not find any logs, check whether journald is working. Then, repeat step 4.

      systemd-cat -t icp-audit tail "Audit log testing message."
      

4. Ensure that hostAliases has the correct host name and IP address that maps in audit-logging-fluentd-ds daemonset.

5. The fluent.conf value in the audit-logging-fluentd-ds-config ConfigMap is stringify YAML. It is sensitive to the space and new line characters. Ensure that the number of spaces is not modified.

6. Check the audit-logging-fluentd-ds-* pod logs for any connectivity error.

   1. Get the fluentd pods.

      kubectl -n kube-system get pods
      

   2. Check for connectivity error.

      kubectl -n kube-system log pod audit-logging-fluentd-ds-<pod-id>
      

Troubleshooting IBM QRadar to resolve the issue

1. Ensure that QRadar TLS syslog source is running and listening on a configured port. Run the following command on the system where QRadar is running.

   tcpdump -i <interface> 'port <port-number>'
   

2. Ensure that QRadar TLS syslog public and private keys are in the correct format. A custom private key pair must be in the DER-encoded PKCS8 format.

3. Ensure QRADAR_LOG_SOURCE_IDENTIFIER is unique and same at both the TLS syslog log source and in the Fluentd configuration.