IBM Support

QRadar: Log Sources are in Error status due to events not being received in over 720 minutes

Question & Answer


Question

How can you increase QRadar Syslog Event Timeout threshold?

Cause

Log Sources that do not send an event within 720 minutes display an error in the Status column.

Answer

The following error message appears in the Log Source:




To resolve this issue, there are a couple of options:
  1. To increase the Syslog Event Timeout threshold, go to Admin > System Settings > Advanced > Syslog Event Timeout (minutes):



  2. Administrators can also manually generate events from devices that do not send events to IBM Security QRadar SIEM within 720 minutes.

Note: IBM Security QRadar SIEM on Cloud customers will need to open a PMR with the support team to increase this value as they do not have access to these settings.


Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Events","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21991768