Troubleshooting
Problem
When you integrate Azure Platform or Azure Security Events by using the Microsoft Event Hub protocol, QRadar can fail to collect events from the event hub. The log source is in error status with the following error message: The messaging entity 'xxxx:xxxx|xxxx' could not be found.
Cause
The error means that QRadar cannot find the event hub or the consumer group with the provided event hub connection string. This issue occurs because the connection string that was used does not redirect QRadar to the correct entity (event hub or consumer group).
Resolving The Problem
To resolve the issue, you must ensure you have the correct connection string for your event hub or consumer group.
- Log in to the Azure Platform.
- Go to the namespace section.
- In the Entity Section, click Event Hub:
- If the event hub does not exist, click + Event Hub to create one.
- After you create the Event Hub, click the name.
- Confirm that a Consumer Group exists. It is recommended to create a consumer group specific for QRadar.
In the following screenshot, there is one Consumer Group named $Default: - Click Shared access policies. If no shared access policy exists, create a new one with the listen permission to get the Event Hub Connection String for the log source configuration.
- Click the Policy name and copy the Connection string–primary key. The connection string must include the Entity Path=event hub name at the end.
String example:Endpoint=sb://xxxx.servicebus.windows.net/;SharedAccessKeyName=policy;SharedAccessKey=xxxxxxx=;EntityPath=eventhubk
- Log in to the QRadar user interface as an administrator.
- Edit your existing Microsoft Event Hub log source configuration.
- Add both the Consumer Group and the Event Hub Connection String to your log source configuration.
- Click Save then test the configuration.
Result
The error no longer appears, and QRadar can collect events from the event hub. If the error persists, contact QRadar Support for assistance.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
12 June 2023
UID
ibm16999303