IBM Support

QRadar SIEM: Search Not Displaying Migrated Events

Troubleshooting


Problem

Searching on historical events that were migrated from one Processor to another Processor, Data Node, or the Console does not display results.

Cause

This is working as designed. Upon data written to disk they are tagged with that processor’s IDs. Migrating to a new server does not update those IDs. Therefore, searches for explicit processors or collectors may not find it.

Diagnosing The Problem

When you remove a host, it will leave some, but not all the components and connections in deployment.xml:
<component hostId="53" changed="true" id="3" instanceName="qflow0" version="7.3.1" type="qflow">
<component hostId="53" changed="true" id="7" instanceName="eventcollector0" version="7.3.1" type="eventcollector">
<component hostId="53" changed="false" id="8" instanceName="eventprocessor0" version="7.3.1" type="eventprocessor">
<component hostId="53" changed="false" id="101" instanceName="eventcollectoringress101" version="7.3.1" type="eventcollectoringress">
When you re-add a host, on the same IP, it might re-assign these components back to the host. However, depending on the version of QRadar, configuration changes, or other reasons. If you're EP gets new components then when you search, it searches using the new component IDs. The ID tags are fixed when the ariel data is written. Advantage is you can move the data to almost any node or processor and search it, but you just can't search historical reliably on  IDs from Log Activity user interface. 

Resolving The Problem

Search based on known log sources or log source types.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"}],"ARM Case Number":"TS016636100","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
02 July 2024

UID

ibm17159541

Page Feedback