James,
This is something you should get looked at by QRadar Support. There should be zero protocol differences between QRoC and QRadar on-prem appliances as our integration teams do not code QRoC vs QRadar on-prem protocols, only versions 7.2.x & 7.3.x rpms. I would get a case opened and get someone to review your autoupdate log to verify that you have the latest protocol installed and to validate the log source user interface discrepancy.
What to do
- Open a case at https://ibm.com/mysupport.
- Take a screen cap of the UI discrepancy and inform them this is a QRoC appliance.
- Get logs from the Console appliance (Admin System & License Mgmt or see https://ibm.biz/qradarlogs)
- Submit this information to support and they'll get on the box to verify the issue from the command-line and confirm the problem.
Hope this helps,
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com------------------------------
Original Message:
Sent: Mon April 08, 2019 04:16 AM
From: James McLaren
Subject: Configuring data feed from an Azure event hub
For QRadar on-prem the process appears to be configuring the Azure sections to ensure logging is being sent to an event hub and that data is being captured, then in the console configuring an Azure log source which then utilizes the event hub protocol to pull from Azure.
In QRoC, even though I have the Microsoft Azure log source type selected, I only have Syslog or Forwarded options, as opposed to the Event Hub Protocol detailed for the on premise QRadar. This does not expose the relevant configuration fields like tenant or storage account.
What am I missing? Is this a limitation of QRoC: do I need another device between the hub and QRoC?
Cheers
James
------------------------------
James McLaren
------------------------------