Troubleshooting IBM QRadar integration
Troubleshooting IBM QRadar integration.
Troubleshooting IBM Cloud Private to resolve the issue
-
Ensure that audit logging is enabled.
Audit logging is disabled by default. If you need to generate audit logs for a service, you must enable it for that service. For more information, see Audit logging in IBM Cloud Private. -
Restart the pods for the service for which you enabled audit logging.
After you setAUDIT flag: true
in the ConfigMap of the service, check whether the related service pods are restarted. For more information, see Audit logging in IBM Cloud Private. -
Check whether the audit logs are being sent to systemd journal.
- Install
kubectl
. For more information, see Installing the Kubernetes CLI (kubectl). - Find the IP address of the service pod on which audit log is enabled.
kubectl -n kube-system get pods -o wide | grep <service name or pod name of the service>
- Use Secure Shell (SSH) to connect to that node and check whether audit logs are reaching
journald
.journalctl -t 'icp-audit'
- If you do not find any logs, check whether
journald
is working. Then, repeat step 4.systemd-cat -t icp-audit tail "Audit log testing message."
- Install
-
Ensure that
hostAliases
has the correct host name and IP address that maps inaudit-logging-fluentd-ds
daemonset. -
The
fluent.conf
value in theaudit-logging-fluentd-ds-config
ConfigMap is stringify YAML. It is sensitive to the space and new line characters. Ensure that the number of spaces is not modified. -
Check the
audit-logging-fluentd-ds-*
pod logs for any connectivity error.- Get the
fluentd
pods.kubectl -n kube-system get pods
- Check for connectivity error.
kubectl -n kube-system log pod audit-logging-fluentd-ds-<pod-id>
- Get the
Troubleshooting IBM QRadar to resolve the issue
-
Ensure that QRadar TLS syslog source is running and listening on a configured port. Run the following command on the system where QRadar is running.
tcpdump -i <interface> 'port <port-number>'
-
Ensure that QRadar TLS syslog public and private keys are in the correct format. A custom private key pair must be in the DER-encoded PKCS8 format.
-
Ensure
QRADAR_LOG_SOURCE_IDENTIFIER
is unique and same at both the TLS syslog log source and in the Fluentd configuration.