IBM Security QRadar

 View Only
  • 1.  EPS failed to show up on event logs/graph

    Posted Wed May 27, 2020 02:41 AM
    Edited by sanba06c Wed May 27, 2020 09:33 PM
    Hello,

    My company has used QRadar for almost 1 year, and EPS and FlowBias have worked normally. All of a sudden, these two features stopped working (and not shown on the dashboard). I tried to figure out the problem but to no avail.

    I also looked up on Log Activity but no single event was shown up.

    Can anyone give a hint to solve this error?


  • 2.  RE: EPS failed to show up on event logs/graph

    Posted Thu May 28, 2020 09:23 AM
    Do you have any data coming in - is this a selective problem or no incoming data at all? Is this only for events or flows or both ? What are the sources that are "in problem"?
    Did you check the if traffic is coming properly to the QRadar instance (e.g. tcpdump for particular host) ?
    Was there any update in the meantime that might have caused this (i.e. there was an APAR related to non-functioning dashboard items and time series for latest releases)?
    Did you try to restart the Event collection service (sometimes that helps - ' seen this on few sites for particular log source types) ?

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: EPS failed to show up on event logs/graph

    Posted Thu May 28, 2020 11:22 AM
    @Dusan VIDOVIC, Thanks for your hints. I did a quick check and found no relevant issue so far:

    Do you have any data coming in - is this a selective problem or no incoming data at all? => Other data are normal
    Is this only for events or flows or both ? => Both experience the same issue
    What are the sources that are "in problem"? => IBM Sense, but it seemed that this has nothing to do with the said issue
    Did you check the if traffic is coming properly to the QRadar instance (e.g. tcpdump for particular host) ? => Yes, it appears normal
    Was there any update in the meantime that might have caused this (i.e. there was an APAR related to non-functioning dashboard items and time series for latest releases)? => No related update so far.
    Did you try to restart the Event collection service (sometimes that helps - ' seen this on few sites for particular log source types) ? => already did it with systemctl command but to no avail
    ​​

    ------------------------------
    sanba06csanba06c
    ------------------------------



  • 4.  RE: EPS failed to show up on event logs/graph

    Posted Thu May 28, 2020 03:49 PM
    As I recall, IBM Sense events were related to UBA. On what version of QRadar are you? Is it an All-in-One install? Did you notice anything interesting in the qradar.error log file? Do you have QDI installed and if so, did you notice anything there?

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 5.  RE: EPS failed to show up on event logs/graph

    Posted Mon June 01, 2020 04:00 AM
    @Dusan VIDOVIC, I'm using QRadar v7.3.2, which is an All-in-One Appliance.  ​QDI was installed, but the EPS graph was also not shown up. Nothing interesting was found in the qradar.error log file.

    ------------------------------
    sanba06c
    ------------------------------



  • 6.  RE: EPS failed to show up on event logs/graph

    Posted Mon June 01, 2020 04:10 PM
    Edited by Dusan VIDOVIC Mon June 01, 2020 04:19 PM
    You probably went through this and this but checking anyway... Since the dashboard widget for EPS is not showing the graph, did you "play" with changing the value for graph and/or the time period to show (and if any changes would appear)?

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 7.  RE: EPS failed to show up on event logs/graph

    Posted Wed June 03, 2020 06:31 AM
    @Dusan VIDOVIC, Great advice! Refer to the first article, I followed it and it seemed that the QDI resumed working. I will continue to keep an eye on it. Thanks so much!​

    ------------------------------
    sanba06c
    ------------------------------