IBM Security QRadar

 View Only
  • 1.  Should not trigger the log stoppage [Service disruption] rule !!

    Posted Tue February 21, 2023 10:28 PM

    Hi,

    We have a requirement not to trigger a Log stoppage (Service Disruption) Rule when one Firewall is working in HA mode and when one take active and another becomes standby.

    Should not trigger a Rule for log stoppage from one FW when the other one in HA is working fine and sending logs .

    Only Create an offense if both firewalls are stopped sending events to QRadar?

    Could someone give me the condition or logic of the same ?



  • 2.  RE: Should not trigger the log stoppage [Service disruption] rule !!

    Posted Wed February 22, 2023 06:35 AM

    You may follow below link

    https://community.ibm.com/community/user/security/discussion/monitoring-log-source-stopped-sending-logs-for-cluster-log-sources-1



    ------------------------------
    Sarat Sekhar
    ------------------------------



  • 3.  RE: Should not trigger the log stoppage [Service disruption] rule !!

    Posted Tue February 28, 2023 12:55 AM

    I tried this on 2 customers as a test, it seems its not working as expected.




  • 4.  RE: Should not trigger the log stoppage [Service disruption] rule !!

    Posted Tue February 28, 2023 12:56 AM

    @Jonathan Pechta  Do you have a better Idea or IBM official Document to achieve this ?