Verifying that QRadar receives syslog events

To verify that IBM® QRadar® receives events, review the full syslog header for remote syslog source events. QRadar might not receive syslog events because a fire wall blocked communication or the device did not send the events.

Before you begin

Review the event source that sends the syslog events and verify its IP address.

Procedure

  1. Use SSH to log in to QRadar as the root user.
  2. If the syslog destination is on another appliance, such as an event collector, use SSH to log in to the event collector.
  3. Choose one of the following options.
    • For a TCP syslog, type the following command:

      tcpdump -s 0 -A host Device_Address and port 514

    • For a UDP syslog, type the following command:

      tcpdump -s 0 -A host Device_Address and udp port 514

    The Device_Address must be an IPv4 address or a host name. The tcpdump command must run on the QRadar appliance that receives the events from your device. By default, QRadar appliances are configured to receive syslog events by using TCP or UDP and port 514. Do not configure the QRadar firewall.
  4. If the tcpdump command do not display events, then the syslog events are not sent to the QRadar Console.
    1. Ask your firewall administrator or operations group to check for firewalls that block communication between the QRadar appliance and the device.
    2. Verify that a TCP port is open to Telnet by typing the following command on QRadar:

      telnet Device_IPAddress 514

    3. Review your remote device's syslog configuration to ensure that events are sent to the proper appliance.