IBM Support

QRadar: Confirm connectivity for QRadar Health Console

Question & Answer


Question

Why does QRadar Health not show graphic metrics anymore or just displays "No Data Available"?

Cause

Each managed host individually logs to /var/log/qradar-health.log and this is the information sent to a QRadar Console Health Metrics log source via syslog on port 514.

Answer

Testing the Health Console using CLI


Check connectivity from the Managed Host to QRadar Console on port 514. You can use the telnet command to confirm connectivity if this isn't a tunneled deployment.

telnet <QRadar_Managed_Host> 514

You can also confirm Health data is being generated by looking at /var/log/qradar-health.log in the QRadar Console or in the Managed Host in question. If data is being written, you can run tcpdump on the QRadar Console to confirm data is being forwarded.

Checking a non-tunneled MH on eth0:
tcpdump -nnAs0 -i eth0 port 514 | grep QRadarHealthMetric
or
tcpdump -nnAs0 -i eth0 port 514 | grep HostName=<hostname_from_managed_host>

Checking a tunneled MH:
tcpdump -nnAs0 -i lo port 514 | grep QRadarHealthMetric
or
tcpdump -nnAs0 -i lo port 514 | grep HostName=<hostname_from_managed_host>

Testing the Health Console from the Log Activity tab

  1. Log in to the QRadar User Interface.
  2. Click Log Activity.
  3. Click Advanced Search.
  4. Add this search.
    select QIDDESCRIPTION(qid) AS EventName, logsourcename(logsourceid) as LogSource, sum(eventcount) / (( max(endTime) - min(startTime)) / 1000 ) as EPS from events WHERE LOGSOURCENAME(logsourceid) ILIKE '%%health%%' group by logsourceid order by EPS desc
    Note: This is one line.


Result: You now can tell if QRadar Health Metric is being written.

Where do you find more information?




[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21991573