IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Windows

    Posted Wed June 12, 2019 11:52 PM
    Hi Team,

    I am trying to troubleshoot the windows (server) log sources which are in error state.
    I have attached the screenshot here. We are using Qradar on cloud (QROC). We have lot of windows authentication servers which are showing in error state. Need assistance regarding troubleshooting.
    What all things I should check before approaching IBM support.

    Below are screenshots,
    Windows log sources
    2) Windows log source error
    Please assist

    ------------------------------
    Asif Siddiqui
    ------------------------------


  • 2.  RE: Windows

    Posted Tue June 18, 2019 01:14 PM
    I guess I would contact support.  All it means when its in error state is that it has not gotten a log for some length of time. So depending on how your getting logs either your log forwarder is broke,  Wincollect is broke, or Windows event forwarding (WEF) or Windows event collection (WEC) is broke.    Without know how you are getting your logs I'm unfortunately not going to be able to help.

    ------------------------------
    Patrick Barnes
    ------------------------------

    Original Message


  • 3.  RE: Windows

    Posted Tue June 18, 2019 02:10 PM
    Hi. 

    Windows can be quite finicky. 
    I usually search through error logs with a custom aql query
    And you may need parse out the actuall errors in the aql responses 
    Windows needs different access to each layer ie:
    Initial communication 
    Then registry access
    Then log access 
    And the errors from the aql will show where the issue is 

    Thank you
    Jon


    ¸¸♬·¯·♩¸¸♪·¯·♫¸¸Peace and Love¸¸♬·¯·♩¸¸♪·¯·♫¸¸



    Original Message


  • 4.  RE: Windows

    Posted Tue June 18, 2019 03:36 PM
    you go examples of those queries you could share ?

    ------------------------------
    Christopher Meenan
    ------------------------------

    Original Message


  • 5.  RE: Windows

    Posted Tue June 18, 2019 06:50 PM
    Hi


    Usually I perform 

    "select * on logsourcename(logsourceid) where logsourcename(logsourceid) ilike "%logsourcename%" group by logsourcename(logsourceid) " asc if you need limit if you need. I'm not on a computer right now so the syntax maybe checked.   

    Once you have the logsource information you can filter out the information with qidname(qid) and that should give you the different events.  I start with * cause if we filter fields that have been parsed we may not see the information. 

    then once you have that you can categorise the events sort them usually by qid , message , payload even.  the data is usually there 

    This was worked on numerous times with Wincollect with good results. The wincollect errors are not usually parsed but their in the payload.

    Syslog as I see you have configured your mileage  may vary but it's worth a shot.
    I've found found often the data just isn't parsed properly so you have to dig for it.

    You can also query the health monitoring DSM and you might find errors there as well such as connectivity issues but the host will send actual errors if possible.  Each vendor is different.
    You may find that there are no good information to use but it might be there.

    I hope this helps.
    Thank you
    Jon









    Original Message


Related Content