IBM Support

QRadar: Microsoft Event Hubs protocol checklist



This support technical note is intended to provide users with a check list of steps to review when administrators configure Microsoft Azure log sources that use the Microsoft Azure Event Hubs protocol.

Resolving The Problem

Before you begin
Installing protocols might require a Deploy Changes. Before QRadar service restarts, Administrators need to schedule a maintenance period.
Provided is a general checklist of what to do when this protocol is not working. It usually resolves most issues.
When the connection is good and the log source is checking Event Hubs for events, it indicates the log source is communicating properly. Someone on the Microsoft team is needed so that they can process these steps.
  1. Generate events.
  2. Confirm whether events are coming in on the event hub side.
  3. If necessary, provide the event hub connection string if the customer is using the wrong event hub.
    Note: Can be done without the Microsoft team.
  4. Tell us the rate events are coming in and is the number of events low? If so, are the events received and going to stored?
  5. If events can't be generated, create a new consumer group.
    NOTE: Can be done by a user or administrator with the correct permissions.
To make sure that there are events going into the event hub, here is an Event Hub Checklist of steps to try:
  1. Image result for check box Verify that the Event Hub connection string is valid.
  2. Image result for check box Verify that the Storage Account connection string is valid.
  3. Image result for check box Verify that the consumer group is valid.
  4. Image result for check box Verify that the certificate is downloaded.
  5. Image result for check box Verify that ports 5671 and 5672 are opened for the Event Hub hostname.
  6. Image result for check box Verify that port 443 is open for the Storage Account hostname.
  7. Image result for check box (Optional) Do a Deploy Full Configuration.
    IMPORTNANT: Impact of Deploy Full Configuration on events, flows, and offenses.
  8. Image result for check box (Optional) Restart ecs-ec-ingress.
    IMPORTNANT: Restarting ecs-ec-ingress temporarily stops event collection while the service restarts. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
31 August 2022