IBM Support

QRadar: Troubleshooting Managed Hosts that do not Display on the Dashboard EPS Graph

Troubleshooting


Problem

The EPS graph on the Dashboard tab of the Console is not displaying one of the managed hosts in the deployment. What can I review to determine the problem?

Symptom

EPS dashboard missing item.

Cause

The most common cause of a managed host not reporting EPS stastics is an issue in the syslog-ng service.

Diagnosing The Problem

If the EPS graph on the Dashboard tab is not properly displaying results from a specific managed host in the network, administrators can review for the following:

  1. Verify that the syslog-ng service is running by running on the appliance.

    a. Using SSH, log in as the room user on the Console.
    b. SSH from the Console to the managed host that is not displaying EPS data from the dashboard.
    c. Type service syslog-ng status.
    d. If the service displays stopped, then administrators can type service syslog-ng start.
  2. Verify that the syslog-ng symlink is pointing to the correct location by running the ls-l /etc/init.d/ command.
  3. Verify that StatFilter packets are being sent to the Console.

    a. Using SSH, log in as the room user on the Console.
    b. SSH from the Console to the managed host that is not displaying EPS data from the dashboard.
    c. To review syslog events from the managed host, type the following command: tcpdump -nnAs0 host console_ip and port 514.

Resolving The Problem

To resolve the issue, administrators need to restart the syslog-ng service.

  1. Using SSH, log in as the room user on the Console.
  2. SSH from the Console to the managed host that is not displaying EPS data from the dashboard.
  3. Type service syslog-ng status.
  4. If the service displays stopped, then administrators can type service syslog-ng start.

If the issue persists or the syslog-ng server cannot start properly, then administrators can contact customer support for assistance.



Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Dashboard","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21671700

Page Feedback