Troubleshooting
Problem
When you run a search in Log Activity, you see the private IP addresses are classified as remote in the direction field. For example, in "L2R", the issue could happen with both source and destination.
Cause
To understand why this is happening, you need to check how direction works. QRadar uses Network Hierarchy to know what is Remote or Local. From the QRadar Console, you can open this configuration by going to Admin > Network Hierarchy:
If the IP is found in Network Hierarchy networks, then QRadar will consider this IP as Local. If not, then this IP will be displayed as Remote.
QRadar does not use public/private ranges for the Direction field, but Network Hierarchy instead.
Resolving The Problem
To change the behavior, you need to add the network into the Network Hierarchy (don't forget to Deploy Changes to enable the new configuration):
Note: Country/Region is optional; you can link this private network to a country.
Once the Deploy Changes is complete, you will see the change in Log Activity:
Once the Deploy Changes is complete, you will see the change in Log Activity:
Alternately, if you have many networks and it is hard for you to check them in the Network Hierarchy, you can check the networks via CLI with the next command:
- SSH into the QRadar Console as root.
- Run the following command:
psql -U qradar -c "select * from network order by cidr;"
This command will list the network configured in Network Hierarchy ordered by network.
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtJAAQ","label":"QRadar Network Insights"}],"ARM Case Number":"TS004724601","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
16 February 2021
UID
ibm16408650