You should probably clarify by "application log source" do you mean Windows Event Viewer application logs? Or do you mean a custom application that is sending Syslog (RFC5424 or 3164) or is this JDBC as you mentioned database team?
- For Syslog, you need to confirm the events are reaching QRadar with TCP dump: Using the command line to troubleshooting Syslog events. If your events are being received with TCPdump, you are going to want to confirm another log source isn't capturing these events. If you filter by source IP, are the events received by another log source? If yes, then you likely need to create a new log source type in the DSM Editor for these events.
- If your source is TLS Syslog, confirm you have the correct certificates. The certificate must be on the appliance listening for the events in the /opt/qradar/conf/trunsted_certificates directory.
- If you are using JDBC, see this: https://www.ibm.com/support/pages/node/6464037.
I think it would be good for you to clarify the protocol type you are using for your log source. If you confirm the events are received, but seem to disappear from the UI, this could be a network issue where the NIC thinks the packets are being spoofed (martian packets).
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com------------------------------
Original Message:
Sent: Wed November 09, 2022 10:36 AM
From: Usman Saeed Raja
Subject: Application logs not coming
Hi guys,
I am working in a production environment and added a new application log source on qradar so that its logs can be viewed on log activity, after properly configuring in the log source the logs are not incoming. Even though its entries are coming accurately which was confirmed with the database team, on qradar the logs do not seem to be incoming.
What reasons can this be because of?
Thank you.
------------------------------
Usman Saeed Raja
------------------------------