Question & Answer
Administrators can troubleshoot whether QRadar is receiving Syslog events by using several tools built into the QRadar appliance. A common technique to prove the appliance interface is receiving data is using a utility called tcpdump. This utility allows the administrator to define the interface, port, source, or destination IP addresses for the Syslog data being sent and writes the packet data on-screen to help users determine whether QRadar receives events.
Before you begin
Before troubleshooting, if the events are sent to QRadar, you need to review the event source that is sending Syslog events and verify the IP address. The Syslog destination configured on your device is where you need to troubleshoot. The tcpdump command must be run on the appliance receiving the events from your device.
Note: By default, QRadar appliances are configured to listen for Syslog events on TCP and UDP port 514. There is no need to touch the firewall on your QRadar device.
Troubleshooting events with Tcpdump
The following command allows administrators to review the full Syslog header for events coming from a remote source.
- Using SSH, log in to your QRadar Console as root.
- Optional. If the Syslog destination is another appliance, such as an Event Collector appliance, SSH to the event collector.
- Type one of the following commands:
- For TCP Syslog, type:
tcpdump -s 0 -A host Device_Address and port 514
- For UDP Syslog, type:
tcpdump -s 0 -A host Device_Address and udp port 514
tcpdump -s 0 -A host x.x.x.x and port 514
- For TCP Syslog, type:
Follow procedure A or B depending on your results
A: I do not see any events
If you do not see any events in the command line, it is likely that the device is not sending Syslog events or a firewall is blocking communication. Use the following steps to resolve the issue.
- Verify with your firewall administrator or operations group if any firewalls are blocking communication between the QRadar appliance and the device sending Syslog events. Typically, an easy method to verify whether a TCP port is open is to telnet from QRadar to the device. To do this, from the QRadar command line, enter the following command:
telnet QRadar Event Collector_IPAddress 514
- Review the Syslog configuration of your remote device to ensure that it is configured to send events to the appropriate QRadar appliance.
- If the remote appliance is Linux or UNIX-based, administrators can verify the event source is sending data to the QRadar appliance with the following command:
tcpdump dst QRadar_Appliance_IPAddressResult
If the issue persists, contact support.
B: The command line is listing events from my device
If the tcpdump command displays results with the full Syslog header and event payloads, take the following steps.
- Review your system notifications. A system notification is created when QRadar cannot automatically discover a log source. Administrators can review the hostname or IP address outlined in the system notification to determine what address QRadar thinks is the source address for the log source. Manually creating a log source is typically required. Depending on what the System notification indicates, the Log Source Identifier field might need to be updated with either a hostname or IP address.
- Verify whether the device supports automatic discovery in QRadar. The DSM Configuration Guide has an appendix that lists what Device Support Modules (DSMs) allow automatic log source creation. For more information, see the DSM Configuration Guide: Documentation link list on the QRadar Customer Forum.
- The Syslog header might include an unexpected IP address, or the log source is misconfigured.
- When reviewing the tcpdump results, note the hostname in the Syslog header. If there is no hostname in the Syslog header, then note the packet IP address.
- From the Admin tab of your QRadar Console, open the Log Sources window and search for the hostname or IP address from the event payload.
If you do not find the expected address of your device in the search, then the log source might have an unexpected address. Your event payload indicates what value is the source address. This event can occur when the event source handles events from multiple devices or substitutes an unexpected value into the Syslog header. This is uncommon but does happen on specific devices. For example, your device can preserve the original event IP before sending the Syslog event. Read more: How QRadar determines a hostname or IP from an event.
- Search for a unique payload value in the Log Activity tab. Review the raw payloads from tcpdump and select a keyword you think is unique to your event source. Then, perform a search to look for the unique value.
- Click the Log Activity tab.
- Select the Quick Filter search option.
Note: For more information on using the Quick Filter for searches, see: Searching Your QRadar Data Efficiently: Part 1 - Quick Filters.
- In the search bar, type any unique value appearing in your payload.
- Review the search results.
The search locates any values entered in the Quick Filter that are part of the event payload. The administrator can review these events as they might show up as a different log source, indicating a false positive in auto-detection or an issue with an extension. In this case, you can go to the Admin tab > Log sources > Delete the log source, which was not auto-detected properly. If the log source discovers incorrect, verify that your Console is installed with the latest DSM version. Administrators can compare their RPM version against IBM Fix Central, then let the log source rediscover.
Was this topic helpful?
18 August 2023