IBM Support

QRadar: Log Sources are in Error status due to events not being received in over 720 minutes

Question & Answer


Question

How can you increase QRadar Syslog Event Timeout threshold?

Cause

Log Sources that have not received an event within the last 720 minutes, display the following error in the Log Source Summary page:
summary

Answer

To increase the Syslog Event Timeout threshold.
  1. Log in to the QRadar Console.
  2. On the navigation menu ( Navigation menu icon ), click Admin > System Settings > Advanced > Syslog Event Timeout (minutes):
  3. Enter in a new threshold, click Save.
    timeout


    The message "Changes have been saved successfully. Please deploy." is displayed.
    update
  4. Close the System Settings window.
  5. Click Deploy Changes.
    deploy
Note: IBM Security QRadar on Cloud users need to open a support ticket with the IBM QRadar support team to increase this value as they do not have access to these settings.

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Events","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
15 February 2023

UID

swg21991768

Page Feedback