IBM Support

QRadar: Generate alerts when a Log Source stops receiving events

Question & Answer


How to can I receive alerts if a log source stops receiving events?


The standard Device Stopped Sending Events rule that is included by default with QRadar can send an alert when a device stops sending events. This rule can be configured with one or more Log Sources along with the time interval when the log source stops receiving events. By default this interval is set to 3600 seconds.
  1. Log in to the QRadar UI.
  2. Click the Offenses tab.
  3. Click Rules.
  4. From the Group drop-down menu, select System.
    Select system group
  5. Select the Rule Name Device Stopped Sending Events.
  6. Select Actions > Duplicate.
    select device stopped sending
  7. Enter a name for the new rule.
  8. Click OK.
    Name the rule
  9. Double-click the new rule to configure it.
  10. In the Rule Wizard, click these devices and select one or more log sources you want to receive alerts on.
    Select devices
  11. Add the devices and click Submit.
    Add devices
  12. Select 3600 to configure the threshold for when to generate an alert, the default is 3600 seconds.
  13. Click Next.
  14. Select Email and type the email address to send the notification when the event is triggered.
    Note: If you are using multiple email addresses, use a comma between each email address.
    add email
  15. Click Next.
  16. From the Rule Response, configure the frequency in which you want this rule to respond.
  17. Select Enable Rule.
  18. Configure the Response Limiter.
  19. Click Next to review the rule configuration.
  20. Click Finish.

    You configured a Rule to Alert you when a Log Source stops sending events for an interval

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
03 November 2022