Troubleshooting
Problem
Verifying that data is being sent from an Event Collector is helpful in the following use-cases:
- To ensure that the event data from the specific Event Collector is processed continuously
- To identify any potential network connectivity issues between Event Collector and the Event Processor (or Console)
- To find any potential gaps within event data flow
- To detect any system malfunction on the Event Collector side (for instance system or hardware issues)
Symptom
If you experience these symptoms, the Event Collector might be failing to send data:
- The QRadar Log Source Management app reports that some of the Log Sources are the error state
- Search results depict event gaps
-
Event Collector intermittently display status Unknown
Cause
Any of the following can cause the Event Collector to fail to send data:
- Intermittent network connectivity issues
- Low bandwidth
- Persistent over-license condition
- Services instability on an Event Collector
- Varies hardware (or hypervisor) issues that affect an Event Collector system
- Misconfigured intermediary network devices (Firewalls, IPS/IDS) on the link between an Event Collector and Event Processor (Console)
Diagnosing The Problem
Before you begin
To conduct the verification process, you need an IP address of the Event Collector network management interface. It can be obtained from the GUI by going to Admin > System and License Management or from the CLI by running the following command on the console:
To conduct the verification process, you need an IP address of the Event Collector network management interface. It can be obtained from the GUI by going to Admin > System and License Management or from the CLI by running the following command on the console:
grep -i '${Event Collector hostname}' /etc/hosts
CLI
- Use SSH to log in to the Console as root user.
- To obtain the Managed Host ID of the target Event Collector edit and run the following command on the console:
psql -U qradar -c "SELECT id,ip FROM managedhost WHERE ip='$<YOUR EVENT COLLECTOR IP>';"
- Obtain the Event Collector ID based on the managed host ID from the previous step by editing and running the following command:
psql -U qradar -c "SELECT id,name FROM deployed_component WHERE managed_host_id=$<YOUR MANAGED HOST ID> AND NAME ILIKE 'e%' AND CHAR_LENGTH(name) < 20;"
In this example, the id is 118.
Result
If the search returned no events, then proceed to Resolving the Problem.
GUI
- To create a customized search, go to Log Activity > Search > New Search.
- Define the Search Mode, Time Range, and Search Parameters.The second search parameter 'Destination IP is not 127.0.0.1' limits search results only to the Log Sources event data:
- Run the customized search.
- Analyze the search results:
Result
Events appear shortly after the customized search was run (same as on the animation). You can update search results with any other time frame (go to 'View' dropdown menu) to identify any potential event data gaps.
Important: If the search returned no events, then proceed to Resolving the Problem.
Resolving The Problem
- From the Console, open an SSH session to the target Event Collector.
Note: If you are unsuccessful with this step, start further troubleshooting with the following document: QRadar: Verifying SSH connectivity to the target Managed Host. Continue with the next step when the issue is resolved.
- Check whether the services are running on the target Event Collector:
/opt/qradar/upgrade/util/setup/upgrades/wait_for_start.sh
This example shows the services are running:-
If the services are not running, restart the core system services on the target Event collector:
systemctl stop hostcontext systemctl restart hostservices systemctl start hostcontext
After a few minutes, check again if the services are running.
/opt/qradar/upgrade/util/setup/upgrades/wait_for_start.sh
If the services are still not running after the restart proceed to collect the log files and open a case with QRadar Support. Continue with the next step when the issue is resolved.
-
- Verify that the target Event Collector receives event data from the configured Log Sources.
- Obtain the Event Collector network interface name by using the following command:
cat /etc/management_interface
In this example, the interface is ens192: - Run the tcpdump command to check whether event data is reaching the target Event Collector.
tcpdump -nnAs0 -i ${EC network interface} port 514 -c 10
The tcpdump stops when ten network packets with the Log Source event data are captured:
If the command returns packets, then the Event Collector is receiving event data.
If no output is present, then the next troubleshooting steps are to check the Log Source configuration and verify whether the network traffic from Log sources is not blocked by the firewalls. - Obtain the Event Collector network interface name by using the following command:
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
03 April 2023
UID
ibm16848271