IBM Support

QRadar:Audit and System Notifications are not visible in the Log Activity tab

How To


Summary

Administrators who report issues with missing System Notifications or who are unable to view SIM-Audit events from the Log Activity tab can complete the checks provided in this technical note.

Steps

  1. Review routing rules to determine whether rule is enabled to intentionally drop Console events. For example, if a routing rule is configured to drop events with the Source IP or Destination IP as Console IP or 127.0.0.1, both SIM Audit and System Notifications might not trigger as expected. It is recommended to review routing rules to ensure they do not affect important notifications. For more information, see Viewing and managing routing rules.
  2. Review the audit.log to confirm new events are written to the file.
      1. Use SSH to log in to the QRadar Console as the root user.
      2. To verify whether the file was updated recently, type:
        ls -lrth /var/log/audit/audit.log
      3. To tail the audit.log, type the following command:
        tail -f var/log/audit/audit.log
      4. Attempt one of the activities that can generate an audit event. For more information, see Actions logged in the audit.log file.
      5. Verify that the audit log is updated with new events.
    • Confirm whether events are being sent to routed store.
      1. In the Log Activity tab, add the following two filters:
        1. Source or Destination IP is 127.0.0.1.
        2. Event is Unparsed equals true.
          image-20230630150824-1
      2. Confirm whether any SIM-Audit log sources are reported with a Log Level Category of Stored in the search results.
        Note: If stored events are reported for the SIM-Audit log source, a performance issue might be occurring, or you might need to export and report stored events for review by QRadar Support. Internal log sources, such as Sim Audit, Health Metrics, Custom Rules Engine, are not expected to parse with a log level category of stored.
    • Review APAR IJ31534 and adjust the parsing order as described in the known issue.
    • Check the syslog-ng configuration file on the QRadar Console to confirm whether any changes were made by other administrators.
      1. Use SSH to log in to the Console as the root user.
      2. Review for changes or incorrect values in the following file:
        /etc/syslog-ng/syslog-ng.conf
      3. Optional. Users within a maintenance window can attempt to restart services.
        Important: Restarting the ecs-ec-ingress service stops all incoming events momentarily. The ingress service restarts within a few seconds, but the service restart causes EPS and FPM graphs to display gaps as no incoming events are received while ingress restarts. It is recommended that administrators complete service restarts during scheduled maintenance or when advised by QRadar Support.
        systemctl restart syslog-ng
        systemctl restart ecs-ec-ingress
        systemctl restart hostcontext
        Results
        If you continue to experience issues after you complete all procedures in this technical note, contact QRadar Support for further assistance.

         

    Document Location

    Worldwide

    [{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

    Document Information

    Modified date:
    30 June 2023

    UID

    ibm17007797