Troubleshooting
Problem
This support technical note is intended to provide users with a check list of steps to review when administrators configure Microsoft Azure log sources that use the Microsoft Azure Event Hubs protocol.
Resolving The Problem
Before you begin
Installing protocols might require a Deploy Changes. Before QRadar service restarts, Administrators need to schedule a maintenance period.
Provided is a general checklist of what to do when this protocol is not working. It usually resolves most issues.
When the connection is good and the log source is checking Event Hubs for events, it indicates the log source is communicating properly. Someone on the Microsoft team is needed so that they can process these steps.
When the connection is good and the log source is checking Event Hubs for events, it indicates the log source is communicating properly. Someone on the Microsoft team is needed so that they can process these steps.
- Generate events.
- Confirm whether events are coming in on the event hub side.
- If necessary, provide the event hub connection string if the customer is using the wrong event hub.
Note: Can be done without the Microsoft team. - Tell us the rate events are coming in and is the number of events low? If so, are the events received and going to stored?
- If events can't be generated, create a new consumer group.
NOTE: Can be done by a user or administrator with the correct permissions.
To make sure that there are events going into the event hub, here is an Event Hub Checklist of steps to try:
- Verify that the Event Hub connection string is valid.
- Verify that the Storage Account connection string is valid.
- Verify that the consumer group is valid.
- Verify that the certificate is downloaded.
- Verify that ports 5671 and 5672 are opened for the Event Hub hostname.
- Verify that port 443 is open for the Storage Account hostname.
- (Optional) Do a Deploy Full Configuration.
IMPORTNANT: Impact of Deploy Full Configuration on events, flows, and offenses. - (Optional) Restart ecs-ec-ingress.
IMPORTNANT: Restarting ecs-ec-ingress temporarily stops event collection while the service restarts. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
31 August 2022
UID
ibm16616535