IBM QRadar

Hi guys,

We are reading logs with log file protocol on linux server, but it constantly stops the source log retrieval. Has anyone encountered this situation before, what solution can we apply?

Thanks in advance

Hello,

There are several possible reasons why the log retrieval is stopping. Here are some steps you can take to troubleshoot the issue:

1. Check the log file protocol settings: Ensure the log file protocol settings are correctly configured. This includes the log file path, file format, and any applied filters or exclusions.
2. Verify the log file permissions: Ensure that the user account running the log retrieval process has the necessary permissions to access the log files. This includes reading and executing permissions for the log file directory and the log files themselves.
3. Check for any errors or warnings in the log files: Look for any error messages or warnings in the log files that may indicate why the log retrieval is stopping. These messages can provide valuable insights into the issue.
4. Check the network connectivity: If the log files are stored on a remote server, ensure the network connectivity between the server and the client machine is stable. This can be a common cause of log retrieval issues.
5. Restart the log retrieval process: If none of the above steps resolves the issue, try restarting the log retrieval process. This can help clear any temporary problems that may be causing the process to stop.

Log file protocol configuration: https://www.ibm.com/docs/en/dsm?topic=options-log-file-protocol-configuration

Pulling data by using the log file protocol: https://www.ibm.com/docs/en/dsm?topic=gateway-pulling-data-by-using-log-file-protocol

Thank you