IBM Support

QRadar: Troubleshooting Communication between QRadar and IBM Security Network Protection Appliance XGS



Events are not being sent from my XGS to QRadar.


IBM Security Network Protection status in Error.

Resolving The Problem

This is a brief, high level overview that can help troubleshoot issues between QRadar and the IBM Security Network Protection Appliance (XGS).

  1. Verify your XGS Setup. To do this, you need to verify QRadar has been set up as a Response Object, and the Response Object has been added to your policies.

  2. Verify your QRadar setup. From the QRadar user interface click on Admin tab > Log Sources and verify your XGS Log Source is listed, enabled, shows success, and has the correct IP. If the status does not show Success continue to step 3. Otherwise, QRadar is receiving events from the XGS.

  3. Verify that the XGS is sending events by using tcpdump. On the XGS, tcpdump is found under tools > capture > minterface (Management Interface). You should see events going to your QRadar appliance.

  4. Verify that QRadar is receiving events with the tcpdump command.

    Enter the command tcpdump -s 0 host (ip of XGS/gx) and port 514 (standard syslog port).

Note: The example below shows an event correctly sent from XGS and received by QRadar. While running tcpdump on QRadar, look for LEEF in the raw payload. If you don't see LEEF in your raw payload, then you know LEEF format has not been enabled on your XGS. Having LEEF disabled will not prevent events from being sent, but it will prevent the events from being parsed correctly. If all of these steps have passed, then you know the XGS is working properly.

If you see events leaving the XGS, but not being received by QRadar.

  1. Check to make sure port 514 is open and receiving on QRadar.

  2. If it is open and listening, then the problem is that your network is blocking traffic between these two appliances.

Please refer to this Document on Configuring XGS appliances to forward events to QRadar.

Configuring QRadar SIEM to forward advanced threat protection alerts to IBM Security Network Protection (XGS) appliances

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018