IBM QRadar

Folks,

We have so many shared qradar environments and this environment has huge amount of log sources.And few are them in error state I troubleshooted few of them based on enable/disabling Log sources and few are in "Events have not been received from this Log Source in over 720 minutes."  state, 

I went with below IBM post tried out and nothing changes,
https://www.ibm.com/support/pages/qradar-log-sources-are-error-status-due-events-not-being-received-over-720-minutes.

Any advice or document would be appreciated to solve this.




------------------------------
Eagleeye 12
------------------------------

What you have is the SIEM telling you it has seen no further traffic for the period mentioned.

The SIEM will not know if that is because:

1. The log source has some sort of problem (including anything between the source of the events and the SIEM)
2. The log source has not needed to send anything (i.e. no traffic, which can be normal for low volume log sources)

What would be good is to have those log sources send some for of "heartbeat" or "keep alive" event so you know it is alive, but no "normal" traffic to share.

Unfortunately, nearly all the log sources I have seen over the years don't support this.

You will have to accept that low-traffic log sources will do this and come up with your own way to verify the log source is healthy (just not has anything to send).

------------------------------
Darren H.
------------------------------

Original Message:
Sent: Wed November 10, 2021 01:00 AM
From: Eagleeye 12
Subject: Events have not been received from this Log Source in over 720 minutes.

Folks,

We have so many shared qradar environments and this environment has huge amount of log sources.And few are them in error state I troubleshooted few of them based on enable/disabling Log sources and few are in "Events have not been received from this Log Source in over 720 minutes."  state, 

I went with below IBM post tried out and nothing changes,
https://www.ibm.com/support/pages/qradar-log-sources-are-error-status-due-events-not-being-received-over-720-minutes.

Any advice or document would be appreciated to solve this.




------------------------------
Eagleeye 12
------------------------------

Myself and many others have had issues with this.  We have recently found a solution.  I'll outline the steps here, when I get some time I'll do a better write up.

1) Setup groups for your log sources with how often they should log..  e.g. 1 hr, 24hrs, 7 days, etc.
2) Make reference set for each group, have the entries expire just a little beyond the time, for 1 hr, make it 1 hr 5 minutes, 1 day 1 hr, etc.
3) Setup a rule for each log source group that puts the name of the log source into the reference set, set a limiter to only run 1 time per interval, 1 hr, 1 day, etc. per log source.
4) Make an "alarm" rule that fires on expiration of the data from the reference set.  I can't remember the QID.  You'll have to make a CEP to pull the log source from the event.  Same event has the reference set name, parse that and filter the alarm rules by which reference set.  Set the offense to index based on the CEP for the log source name.  I called mine "Failed Log Source".  

You'll end up with a single offense for each failed log source when\if they fail.  

Wink to Gladys Koskas for part of the idea!

------------------------------
Frank Eargle
------------------------------

Original Message:
Sent: Wed November 10, 2021 01:00 AM
From: Eagleeye 12
Subject: Events have not been received from this Log Source in over 720 minutes.

Folks,

We have so many shared qradar environments and this environment has huge amount of log sources.And few are them in error state I troubleshooted few of them based on enable/disabling Log sources and few are in "Events have not been received from this Log Source in over 720 minutes."  state, 

I went with below IBM post tried out and nothing changes,
https://www.ibm.com/support/pages/qradar-log-sources-are-error-status-due-events-not-being-received-over-720-minutes.

Any advice or document would be appreciated to solve this.




------------------------------
Eagleeye 12
------------------------------

Hi this it's a great article/documentation that helps you implement some of the ideas other posts.

Basically you need to customize how each kind of Log Source are treated.

Another "good practice" it's to add comments into the Log Source Description if you troubleshoot and find out that a Log Sources only send events once a day.. a week or so. Additionally remember that machines sometimes are deleted, on that case you should have a Log Source Group of "deleted Log Sources", so you skip any test on those and you or any other analyst knows that those machine are no longer alive in your environment.


https://www.ibm.com/docs/en/qsip/7.4?topic=spot-device-stopped-sending-events

------------------------------
Juan Paulo
IBM
Santiago
------------------------------

Original Message:
Sent: Wed November 10, 2021 01:00 AM
From: Eagleeye 12
Subject: Events have not been received from this Log Source in over 720 minutes.

Folks,

We have so many shared qradar environments and this environment has huge amount of log sources.And few are them in error state I troubleshooted few of them based on enable/disabling Log sources and few are in "Events have not been received from this Log Source in over 720 minutes."  state, 

I went with below IBM post tried out and nothing changes,
https://www.ibm.com/support/pages/qradar-log-sources-are-error-status-due-events-not-being-received-over-720-minutes.

Any advice or document would be appreciated to solve this.




------------------------------
Eagleeye 12
------------------------------