IBM QRadar

I have Events with the Eventname "Log source has stopped emitting events" and i like to adjust the time until that event will occure but i can not find the timer for that event. Anybody knows how to tune it?

------------------------------
Martin Schmitt
------------------------------

Hello Martin,
You have to locate this rules:
Device Stopped Sending Events (Firewall, IPS, VPN or Switch)
Device Stopped Sending Events
then you can customize the seconds count in each one.
In my personal experience i suggest you to separate the log sources in different groups and create your own rules with different counts as every log source type and log source has difference performance and they has different "dead times" to send event to Qradar, for example, separate the linux servers and Windows servers log sources in different groups and create 2 different rules to each one with different counts.

Regards,

------------------------------
Johan Lopez
------------------------------

Original Message:
Sent: Mon June 21, 2021 11:29 AM
From: Martin Schmitt
Subject: Log source has stopped emitting events

I have Events with the Eventname "Log source has stopped emitting events" and i like to adjust the time until that event will occure but i can not find the timer for that event. Anybody knows how to tune it?

------------------------------
Martin Schmitt
------------------------------

Hi Johan, 
thanks for your hints. These 2 rules are disabled and the Messages of their Rule responses is different. 
Regards,
Martin

------------------------------
Martin Schmitt
------------------------------

Original Message:
Sent: Mon June 21, 2021 12:16 PM
From: Johan Lopez
Subject: Log source has stopped emitting events

Hello Martin,
You have to locate this rules:
Device Stopped Sending Events (Firewall, IPS, VPN or Switch)
Device Stopped Sending Events
then you can customize the seconds count in each one.
In my personal experience i suggest you to separate the log sources in different groups and create your own rules with different counts as every log source type and log source has difference performance and they has different "dead times" to send event to Qradar, for example, separate the linux servers and Windows servers log sources in different groups and create 2 different rules to each one with different counts.

Regards,

------------------------------
Johan Lopez

Original Message:
Sent: Mon June 21, 2021 11:29 AM
From: Martin Schmitt
Subject: Log source has stopped emitting events

I have Events with the Eventname "Log source has stopped emitting events" and i like to adjust the time until that event will occure but i can not find the timer for that event. Anybody knows how to tune it?

------------------------------
Martin Schmitt
------------------------------

I realised today that maybe this messages comming really from those rules. I use such a rule as a building block so there should be no response comming from the BB but disabling the BB stops the Event. A behavior where i hav not seen a documentation so far.

------------------------------
Martin Schmitt
------------------------------

Original Message:
Sent: Mon June 21, 2021 12:16 PM
From: Johan Lopez
Subject: Log source has stopped emitting events

Hello Martin,
You have to locate this rules:
Device Stopped Sending Events (Firewall, IPS, VPN or Switch)
Device Stopped Sending Events
then you can customize the seconds count in each one.
In my personal experience i suggest you to separate the log sources in different groups and create your own rules with different counts as every log source type and log source has difference performance and they has different "dead times" to send event to Qradar, for example, separate the linux servers and Windows servers log sources in different groups and create 2 different rules to each one with different counts.

Regards,

------------------------------
Johan Lopez

Original Message:
Sent: Mon June 21, 2021 11:29 AM
From: Martin Schmitt
Subject: Log source has stopped emitting events

I have Events with the Eventname "Log source has stopped emitting events" and i like to adjust the time until that event will occure but i can not find the timer for that event. Anybody knows how to tune it?

------------------------------
Martin Schmitt
------------------------------