IBM Support

QRadar: Azure Event Hub log source fails with "The messaging entity xxxxx could not be found" error due to misconfiguration

Troubleshooting


Problem

When you integrate Azure Platform or Azure Security Events by using the Microsoft Event Hub protocol, QRadar can fail to collect events from the event hub. The log source is in error status with the following error message: The messaging entity 'xxxx:xxxx|xxxx' could not be found.

Cause

The error means that QRadar cannot find the event hub or the consumer group with the provided event hub connection string. This issue occurs because the connection string that was used does not redirect QRadar to the correct entity (event hub or consumer group).

Resolving The Problem

To resolve the issue, you must ensure you have the correct connection string for your event hub or consumer group.
  1. Log in to the Azure Platform.
  2. Go to the namespace section.
  3. In the Entity Section, click Event Hub:
    image-20230531142636-1
  4. If the event hub does not exist, click + Event Hub to create one.
    image-20230531142928-1
  5. After you create the Event Hub, click the name.
  6. Confirm that a Consumer Group exists. It is recommended to create a consumer group specific for QRadar.
    In the following screenshot, there is one Consumer Group named $Default:
    image-20230531143223-1
  7. Click Shared access policies. If no shared access policy exists, create a new one with the listen permission to get the Event Hub Connection String for the log source configuration.
    image-20230531144044-1
  8. Click the Policy name and copy the Connection string–primary key. The connection string must include the Entity Path=event hub name at the end.
    String example: 
    Endpoint=sb://xxxx.servicebus.windows.net/;SharedAccessKeyName=policy;SharedAccessKey=xxxxxxx=;EntityPath=eventhubk
  9. Log in to the QRadar user interface as an administrator.
  10. Edit your existing Microsoft Event Hub log source configuration.
  11. Add both the Consumer Group and the Event Hub Connection String to your log source configuration.
    image-20230531144228-1
  12. Click Save then test the configuration.

    Result
    The error no longer appears, and QRadar can collect events from the event hub. If the error persists, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
12 June 2023

UID

ibm16999303

Page Feedback