IBM Support

QRadar: Using Linux Networking Tools to troubleshoot Interfaces

Troubleshooting


Problem

If you are seeing notification from the dashboard about packets or network issues, there is a way to troubleshoot the interface without going to the data center directly.

Cause

There are things that can influence the IO coming across the LAN, including the cable, switch port, firewalls, network activity, or even a Network Interface connection. This technote deals with how to troubleshoot these issues.

Resolving The Problem

Before you begin:
Should any of these tests show Networking issues, you might require the assistance of your Network Administrator.
  1. Use an SSH connection to verify that you have connectivity. This verifies the status of port 22 and you can connect to the Appliance.
    1. Using an SSH Client such as PuTTY, connect to the Console as root user.
    2. From the Console SSH to the Managed Host listed in the Dashboard Notification.
  2. If from Step 2 you cannot SSH to either the Console or the Managed Hosts, use a Management Interface such as an IMM or iDRAC.
  3. Check the Active Network Interface by using either the command ifconfig or ip add

    QRadar 7.2.8 Versions use ifconfig

    • Type from the command prompt ifconfig to locate the active network interfaces.

    QRadar 7.3 Versions use ip add

    • Type from the command prompt ip add to locate the active network interfaces.
    • Things to look for is the Ethernet Interface, which in this example is ens3.
    • Check the Network Address configuration to make sure the IP Addresses are configured correctly.
    • Check the transmission speed. In this example we have a Gigabit connection.
    • In the example for ifconfig, you can also look at TX and RX statistics. To get the same statistics with the command ip type:
      ip -s link

      Note:
      QRadar 7.3.x uses Predictable Network Interface Names that start with en[letter][number].
      QRadar Version 7.2.x the Network Interface will start with eth[number].
  4. Verification after locating the Network interface

    Using ethtool

    • type ethtool <interface>
      ethool eth0


      Things to look for are Speed, Duplex, Port, and Link detected
    • you can get more statics by using ethtool -S <interface>
      ethtool -S eth0


      From this you can get more information on statistics, if you dropping packets, or TX or RX errors.
  5. You can look at the active connections by using the netstat command
    1. To Display all active connections type netstat -nap
    2. To search for specific information, use the command netstat -nap | grep port
  6. To check on the 10Gbps connector SFP+ module and insure the module is installed, verify the type, brand and technical specifications:


For more information on the netstat command, please refer to the IBM Knowledge Center article
Searching for ports in use by QRadar

Results: Using these tests you can do basic troubleshooting.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Hardware","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
09 July 2019

UID

swg21997106