IBM Support

QRadar: How to troubleshoot Communication between QRadar and your IBM Security Network Intrusion Prevention System (GX)



No events being received from your GX in QRadar.

Resolving The Problem

  1. Verify your GX setup. From the GX web user interface, click Manage System Settings > Appliance > Leef Log forwarding (syslog). Click the Enable Local Log check box. Once you've made the change, the leef.log will start populating with events to send to QRadar.

  2. Verify your QRadar setup. From the QRadar web user interface, click the Admin tab > Log Sources and verify that your GX is listed as a Log Source, is enabled, shows success, and has the correct IP. If it is in Error status, continue to the step 3.

  3. Verify that the GX is creating events to send by investigating the file /var/iss/leef.log. All events to be forwarded to QRadar is this file. They remain unchanged in format from the time they leave the GX, to the time they are received on QRadar. The example below shows a typical leef.log.

  4. Verify QRadar is receiving events with the tcpdump command. This example shows a typical event being received by QRadar from an XGS.

    The command is tcpdump -s 0 host (IP of GX) and port 514 (standard syslog port).

    The events will be stored on QRadar in /store/ariel/events/payloads/(year)/(month)/(day)/(hour) .

    Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018