Hi Irfan,
on your linux box, you should tcpdump and check what's going out, and on your Qradar box you should also use tcpdump to see what is arriving. This way, you'll know where it's blocked.
On sender side: #
tcpdump -nnA dst <ip_of_recipient> and dst port 514On receiver side: #
tcpdump -nnA src <ip_of_sender> and dst port 514For windows and wincollect, usually you'll get a message in your admin section asking to deploy to integrate the newly connected wincollect agent. Although, I suggest going through the documents Vedran mentionned =>
https://www.ibm.com/community/qradar/home/wincollect/You'll find all the info about wincollect.
Regards,
------------------------------
Anthony Gayadeen, Videotron Ltd
Montreal QC
------------------------------
Original Message:
Sent: Thu August 01, 2019 02:40 AM
From: Vedran Goricki
Subject: Telnet host from QRadar
Hi,
On Windows Machine for testing purposes i would turn on auditing because i generates massive amount of log.
On WIndows machine Check C:\Program Files\IBM\WinCollect\logs for errors
Check the connectivity between wincollect and qradar https://QRadarIPAddress:84137 - if it works "You will get Your connection is not secure" - message
On Qradar CLI - netstat -tulnp | grep 8413 - You will get something like this -tcp6 0 0 :::8413 :::* LISTEN 22026/java
On Qradar console check Admin - Data Sources- Wincollect - there is Your status of agent - IF IT'S installed as managed agent - You won't se standalone agent there.
On Log source - check Wincollect agent if You selected the right one
On Log Sources Target Internal Destination - if is is default it will say evencollector0 :: qradar - Check that You have the right on Wincollect agent in config file.
Online there is the document QRadar Support 101: Wincollect Troubleshooting - don't have the link sorry
This is for the Windows.
For Linux check if the syslog is configured properly
This is the link : https://www-01.ibm.com/support/docview.wss?uid=swg21674902 QRadar: Using the command-line to troubleshoot a syslog event source
Regards,
Vedran Goricki
------------------------------
Vedran Goricki
Original Message:
Sent: Wed July 31, 2019 07:35 AM
From: Irfan Ullah
Subject: Telnet host from QRadar
Hello Team
Hello Group
I have installed and Configure IBM QRadar. After that i have configure Network Hierarchy then i have configure Log source and last i have add window Server 2012 and Linux OS in Assets . Also i have configure rsyslog config on Linux OS and winCollect on window machine. But still i didn't see any window or Linux Log in my Log Activity.
But when i have try to telnet then window machine its give me error "no route to host" while i have off the firewall of window machine also i have run the "tcpdump " command .
------------------------------
Irfan Ullah
------------------------------