Question & Answer
I forwarded my Syslog events to QRadar, but I do not see any events on the Log Activity tab. How can I use the command-line to troubleshoot event issues?
Administrators can troubleshoot if Syslog events are being received by QRadar using several tools built into the QRadar appliance. A common technique used to prove data is being received by the appliance interface is to use a utility called tcpdump. This utility allows the administrator to define the interface, port, source or destination IP addresses for the Syslog data being sent and writes the packet data on-screen to help users determine if events are received by QRadar.
Before you begin
Before you can troubleshoot if the events are sent to QRadar, you need to review the event source sending Syslog events and verify the IP address. The Syslog destination configured on your device is where you need to troubleshoot. The tcpcump command must be run on the appliance receiving the events from your device.
Note: By default, QRadar appliances are always configured to listen for Syslog events on TCP and UDP port 514. There is no need to touch the firewall on your QRadar appliance.
Troubleshooting events with tcpdump
The following command allows administrators to review the full Syslog header for events coming from a remote Syslog source.
- Using SSH, log in to your QRadar Console as root.
- Optional. If the Syslog destination is another appliance, such as an Event Collector appliance, SSH to the event collector.
- Type one of the following command:
- For TCP Syslog, type: tcpdump -s 0 -A host Device_Address and port 514
- For UDP Syslog, type: tcpdump -s 0 -A host Device_Address and udp port 514
Note: Device_Address must be an IPv4 address or a hostname.
For example, tcpdump -s 0 -A host x.x.x.x and port 514.
1. I do not see any events
If you do not see any events in the command line, then is likely that either the device is not sending Syslog events or there is a firewall blocking communication.
- Verify with your firewall administrator or operations group if any firewalls are blocking communication between the QRadar appliance and the device sending Syslog events.
Typically, an easy method to verify if a TCP port is open is to telnet from QRadar to the device. From the QRadar command line, type telnet QRadar Event Collector_IPAddress 514.
- Review the Syslog configuration of your remote device to ensure that it is configured to send events to the appropriate QRadar appliance.
- If the remote appliance is Linux/UNIX-based, administrators can verify the event source is sending data to the QRadar appliance with the following command: tcpdump dst QRadar_Appliance_IPAddress
2. The command line is listing events from my device
The tcpdump command displays results with the full Syslog header and event payloads, which is why we recommend using the -A flag when troubleshooting events.
- Review your system notifications.
When QRadar cannot automatically discover a log source, then a system notification is created. Administrators can review the hostname or IP address outlined in the system notification to determine what address QRadar thinks is the source address for the log source. Manually creating a log source is typically required. The Log Source Identifier field might need to be updated with either a hostname or IP address depending on what the System Notification indicates.
- Verify if the device supports automatic discovery in QRadar.
The DSM Configuration Guide has an appendix that lists what Device Support Modules (DSMs) allow automatic log source creation. For more information, see the DSM Configuration Guide: Documentation link list on the QRadar Customer Forum.
- The Syslog header might include an unexpected IP address or the log source is misconfigured.
When reviewing the tcpdump results, administrators should note the hostname in the Syslog header. If there is no hostname in the Syslog header then note the packet IP address. From the Admin tab of your QRadar Console, open the Log Sources window and search for the hostname or IP address from the event payload. If you do not find the expected address of your device in the search, then the log source might have been created with an unexpected address. Your event payload should indicate what value is the source address. This can occur when the event source handles events from multiple devices or substitutes in an unexpected value into the Syslog header. This is uncommon but does happen on certain devices. Your device might have an option to preserve the original event IP before sending the Syslog event.
Read more: How QRadar determines a hostname or IP from an event
- Search for a unique payload value in the Log Activity tab.
Review the raw payloads from tcpdump and select a keyword you think is unique to your event source. Perform a search to look for the unique value.
- Click the Log Activity tab.
- Select the Quick Filter search option.
NOTE: For more information on using the Quick Filter for searches, see: Searching Your QRadar Data Efficiently: Part 1 - Quick Filters.
- In the search bar, type any unique value that would appear in your payload.
- Review the search results.
The search will locate any values entered in the quick filter that are part of the event payload. The administrator can review these events as they may show up as a different log source which would indicate a false positive in auto-detection or an issue with an extension. In this case, you can go to the Admin tab > Log sources > Delete the log source which was not auto-detected properly. If the log source discovers incorrectly, you should verify that your Console is installed with the latest DSM version. Administrators can compare their RPM version against IBM Fix Central, then let the log source rediscover.
Was this topic helpful?
11 August 2021