The first thing I'd check is to confirm that you've got the latest Amazon protocols for QRadar. The AWS protocols are temporarily removed, so you must download and install them manually on your Console. Then you can test the protocol in the Log Activity tab to see if there are errors reported (I'd put the test option in debug, which you can do from the UI 'gear' icon.
Then after you confirmed you've got the latest protocol, run tcpdump to confirm data is being received:
tcpdump -s 0 -A host Device_Address and port 514
Be sure to run this on the QRadar managed host that is making the connection to AWS to see if there are incoming events from that IP or hostname? If you see data on the interface, then you can confirm that the data is not filling store/tmp. If you do not get an error from the log source management app, but still not receiving events, you probably want to take a look at the logs for example, if you are using an S3 bucket, you can grep for errors related to the protocol, such as: com.q1labs.semsources.sources.amazonawsrest.AmazonAWSRESTProvider: [ERROR] {error info}
If you are stuck, you can open a case with support to review your configuration. It is typically requested that you provide logs, a screen cap of the log source config, and a test with debug enabled with your case.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com------------------------------
Original Message:
Sent: Tue August 08, 2023 11:34 PM
From: Sugandhini PS
Subject: AWS logs are not being populated in QRadar
Couldnt find AWS logs in QRadar console even after adding AWS as a log source
------------------------------
Sugandhini PS
------------------------------