Question & Answer
Question
Why does QRadar Health not show graphic metrics anymore or just displays "No Data Available"?
Cause
Each managed host individually logs to /var/log/qradar-health.log and this is the information sent to a QRadar Console Health Metrics log source via syslog on port 514.
Answer
Testing the Health Console using CLI
Check connectivity from the Managed Host to QRadar Console on port 514. You can use the telnet command to confirm connectivity if this isn't a tunneled deployment.
telnet <QRadar_Managed_Host> 514You can also confirm Health data is being generated by looking at /var/log/qradar-health.log in the QRadar Console or in the Managed Host in question. If data is being written, you can run tcpdump on the QRadar Console to confirm data is being forwarded.
Checking a non-tunneled MH on eth0:
tcpdump -nnAs0 -i eth0 port 514 | grep QRadarHealthMetricor
tcpdump -nnAs0 -i eth0 port 514 | grep HostName=<hostname_from_managed_host>Checking a tunneled MH:
tcpdump -nnAs0 -i lo port 514 | grep QRadarHealthMetricor
tcpdump -nnAs0 -i lo port 514 | grep HostName=<hostname_from_managed_host>
Testing the Health Console from the Log Activity tab
- Log in to the QRadar User Interface.
- Click Log Activity.
- Click Advanced Search.
- Add this search.
select QIDDESCRIPTION(qid) AS EventName, logsourcename(logsourceid) as LogSource, sum(eventcount) / (( max(endTime) - min(startTime)) / 1000 ) as EPS from events WHERE LOGSOURCENAME(logsourceid) ILIKE '%%health%%' group by logsourceid order by EPS desc
Note: This is one line.
Where do you find more information?
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21991573