Events are not being sent from my XGS to QRadar.
IBM Security Network Protection status in Error.
Resolving The Problem
This is a brief, high level overview that can help troubleshoot issues between QRadar and the IBM Security Network Protection Appliance (XGS).
- Verify your XGS Setup. To do this, you need to verify QRadar has been set up as a Response Object, and the Response Object has been added to your policies.
- Verify your QRadar setup. From the QRadar user interface click on Admin tab > Log Sources and verify your XGS Log Source is listed, enabled, shows success, and has the correct IP. If the status does not show Success continue to step 3. Otherwise, QRadar is receiving events from the XGS.
- Verify that the XGS is sending events by using tcpdump. On the XGS, tcpdump is found under tools > capture > minterface (Management Interface). You should see events going to your QRadar appliance.
- Verify that QRadar is receiving events with the tcpdump command.
Enter the command
tcpdump -s 0 host (ip of XGS/gx) and port 514 (standard syslog port).
If you see events leaving the XGS, but not being received by QRadar.
- Check to make sure port 514 is open and receiving on QRadar.
- If it is open and listening, then the problem is that your network is blocking traffic between these two appliances.
Please refer to this Document on Configuring XGS appliances to forward events to QRadar.
Configuring QRadar SIEM to forward advanced threat protection alerts to IBM Security Network Protection (XGS) appliances
Where do you find more information?
Was this topic helpful?
16 June 2018