How To
Summary
Configuring "Syslog event timeout" for each type of log source is not possible. However, you can identify the log sources that are not sending data by creating a daily report that you can configure.
Steps
You want to configure the report to match the System Setting on Syslog Event Timeout (minutes).
- Log in to the QRadar UI as Administrator.
- On the navigation menu (
), click the Report tab.
- Click the Actions button and select Create.
- In the Report Wizard select the time period you want to report > click Next.
- Select scheduled to generate the report > click Next.
- Select a Layout > click Next.
- Enter a Report Title and Chart Type = Log Source.
- Create a Chart Title.
- In the Log Sources section, select the log sources you want to report on. (You can check the box for All log sources)
- Scroll to the bottom of the window there is a Data Options field, check Only include log sources that have not reported for, box, and set the time frame to match the Syslog Event Timeout threshold configuration in System Settings.
- Click Save Container Details > click Next.
- Review the layout > click Next.
- Select the report format > click Next.
- Select the report distribution channel > click Next.
- Create a report description > click Next.
- Report Summary > click Finished.
Result: You have a report identifying the Log Sources that trigger the Syslog event timeout message.
Additional Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
04 February 2021
UID
ibm16411006