To verify that IBM®
QRadar® receives events, review
the full syslog header for remote syslog source events. QRadar might not receive syslog
events because a fire wall blocked communication or the device did not send the events.
Before you begin
Review the event source that sends the syslog events and verify its IP address.
Procedure
-
Use SSH to log in to QRadar as the root user.
-
If the syslog destination is on another appliance, such as an event collector, use SSH to log
in to the event collector.
-
Choose one of the following options.
The Device_Address must be an IPv4 address or a host name. The
tcpdump command must run on the QRadar appliance that receives the
events from your device. By default, QRadar appliances are configured
to receive syslog events by using TCP or UDP and port 514. Do not configure the QRadar firewall.
-
If the tcpdump command do not display events, then the syslog events are not
sent to the QRadar
Console.
-
Ask your firewall administrator or operations group to check for firewalls that block
communication between the QRadar appliance and the device.
-
Verify that a TCP port is open to Telnet by typing the following command on QRadar:
telnet Device_IPAddress 514
-
Review your remote device's syslog configuration to ensure that events are sent to the proper
appliance.