简体繁体 English

手动添加的QRadar SIEM AIO v7.3.0日志源显示状态N / A

[英]QRadar SIEM AIO v7.3.0 manually added Logsources are showing status N/A

原文 2017-11-12 13:55:43 1 2 security/ qradar

After QRadar deployment, some of the Log sources were autodiscovered as expected, but others which were not discovered by QRadar automatically, i had added them manually in admin->Log Sources using Bulk option. 部署QRadar之后，某些日志源已按预期自动发现，但其他一些不是QRadar自动发现的，我已经在admin-> Log Sources中使用Bulk选项手动添加了它们。

All of them are added successfully but they are still showing there Status as N/A. 所有这些都已成功添加，但它们仍在此处显示为N / A。 Even the log sources with status N/A are also appearing on Assets tab. 即使状态为N / A的日志源也出现在“资产”选项卡上。

I have also checked that there logs are also appearing in Log Activity tab. 我还检查了“日志活动”选项卡中是否还出现了日志。 Is it a known issue why the status is not showing Success on v7.3.0 even after receiving logs on QRadar? 这是一个已知问题，为什么即使在QRadar上接收到日志后状态仍未在v7.3.0上显示成功？

Thanks in Advance 提前致谢

2 个解决方案

You can check the Log Source İdentifier , Is it Hostname or IP? 您可以检查日志源İdentifier，它是主机名还是IP？ You should write "Hostname" if There is hostname after time information in the log.Likely you should write IP if there is IP after time information in the log.After that you sould enable/disable log source and wait a few minutes, it should be success. 如果日志中有时间后信息，则应写“主机名”。如果日志中有时间后信息，则应写IP。之后启用/禁用日志源并等待几分钟，获得成功。

For example; 例如; Apr 10 17:35:25 127.0.0.1 [Thread-62] com.q1labs.hostcontext.health.Agent: [INFO] ... 4月10日17:35:25 127.0.0.1 [Thread-62] com.q1labs.hostcontext.health.Agent：[INFO] ...

You should write 127.0.0.1 on Log source identifier . 您应该在Log source identifier上写127.0.0.1。

I hope this information will help you. 希望这些信息对您有所帮助。

If you are seeing logs from the sources showing as N/A, this is a known issue. 如果您看到来源显示为N / A的日志，则这是一个已知问题。 If memory serves me this is pretty common for Cisco eStreamer protocol devices. 如果内存为我服务，这对于Cisco eStreamer协议设备是很常见的。