IBM Security QRadar

 View Only
Expand all | Collapse all

QRadar in Azure collecting Events through Azure Event Hub - FAILED

  • 1.  QRadar in Azure collecting Events through Azure Event Hub - FAILED

    Posted Fri March 12, 2021 08:17 AM
    Hi community,

    I went through this forum and checked older posts related to the QRadar-Azure integration and could not find an answer.

    My Setup:

    QRadar in Azure in Tenant #1
    Sign-In and Audit Logs from Tentant #1 are sent to an Event Hub in the same tentant.

    My Problem:
    Mar 12 12:50:40 ::ffff:IP [ecs-ec-ingress.ecs-ec-ingress] [Thread-6976] java.lang.NoSuchMethodError: com/q1labs/semsources/sources/utils/GatewayLogSourcePatternParser.setupSourceNameModifier(Ljava/util/List;)Ljava/util/List; (loaded from file:/opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/q1labs_semsources_protocol_common.jar by com.q1labs.core.util.classloader.ChildFirstClassLoader$ChildURLClassLoader@6035a74b) called from class com.q1labs.semsources.sources.microsoftazureeventhubs.MicrosoftAzureEventHubsProvider (loaded from file:/opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/q1labs_semsources_protocol_microsoftazureeventhubs.jar by com.q1labs.core.util.classloader.ChildFirstClassLoader$ChildURLClassLoader@6035a74b).


    Mar 12 12:17:51 ::ffff:IP [ecs-ec-ingress.ecs-ec-ingress] [Thread-4546] com.q1labs.semsources.sources.microsoftazureeventhubs.MicrosoftAzureEventHubsSource: [ERROR] [NOT:0070003100][IP- -] [-/- -]There appears to be a configuration issue with the provider connection 'class com.q1labs.semsources.sources.microsoftazureeventhubs.MicrosoftAzureEventHubsProvider7'.


    There are some similar threads here without solution:

    https://www.ibm.com/mysupport/s/question/0D50z00006PFbmfCAD/errors-connecting-to-azure-event-hub?language=de

    https://www.ibm.com/mysupport/s/question/0D50z00006PEGdKCAX/errors-connecting-to-azure-event-hub-protocol-error?language=de


    What I've done so far?

    - I've followed this guideline https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_logsource_Microsoft_Azure_Event_Hubs_protocol.html

    and repeated this step many times. (Created the log source manually and also looked for auto discovered log sourcesI also asked another colleague to do the same. We both had the same problem.

    . https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_ms_azure_troubleshooting.html

    We also tried to do some troubleshooting, but couldn't find any solution.
    Telnet to Storage Account and Event Hub Namespace work. Ports are open.

    We also created Event Hubs Namespaces and Eventhubs and allowed mostly everything to be sure it was not any permission problem.
    The same with Storage Account.


    Have we slipped up somewhere?

    Thank you!

    Greetings,

    Bruno



    ------------------------------
    BrunoMarX
    ------------------------------