Hi Arukmanr, as Frank said before the logs could be arriving to the SIM Generic Log DSM.
If you really want to know where the logs are you can 2 two kind of searches:
- Do a filter like "Source or Destination IP is IP-VM08" on the timeframe the events where received, that should work unless there is a NAT related issue that it's modifying the Source IP.
- Do a filter like "Payload Contains is hostname-VM08" (with the string you're showing on the image. Be sure to include the timeframe on this one, since it's an expensive query.
Regards
------------------------------
Juan Paulo
IBM
Santiago
------------------------------
Original Message:
Sent: Thu September 26, 2024 07:43 AM
From: Frank Eargle
Subject: Linux (Syslog) Server Reporting Issue
Try looking at SIEM generic log source. They are probably being sent there.
------------------------------
Frank Eargle
Original Message:
Sent: Wed September 25, 2024 08:20 AM
From: Arunkumar R
Subject: Linux (Syslog) Server Reporting Issue
Hi,
I have configured a syslog Linux server in QRadar but it is not updating the events.
As I verified using tcpdump ( tcpdump -s 0 -A host <hostname> and port 514) I can see the logs in CLI.
also I can find the events when I search unique string in event payload that was received from the server.
I tried configuring both IP and hostname as identifier but no luck.
How I can troubleshoot further.
CLI log:
Event search:
Thanks
------------------------------
Arunkumar R
------------------------------