Re: No logs getting pushed to QRadar using syslog subscription

pravhali · ‎03-16-2021

Hi,

I have created new log subscription to push logs on syslog to a QRader system. But it just sits there saying "Not computed" under Size. Also could not see any error or connection status in either mail_logs nor system_logs.

Did I miss something to configure?

Libin Varghese · ‎03-16-2021

The logs are pushed based on the rollover size or time configured under it.

You could try FTP to the device to see what the contents are within that log directory.

Once it reaches the size or time the files should be pushed to syslog and can be verified using a packet capture for the syslog server.

The not computed size would generally show up when the directory is empty, however this can be verified by you using FTP to the device.

Regards,

Libin

pravhali · ‎03-19-2021

Hi Libin,

FTP is not enabled in the remote QRadar server. However I tried enabling
FTP transfer on ESA and could see 512.6MB of data. Now changed it back to
syslog and nothing happens.

Also I don't see any errors or status message in logs when it is configured
for syslog

Libin Varghese · ‎03-21-2021

I meant FTP on the ESA to look at the log size, however looks like you did that.

Since we have data on the ESA, you would need to look at what the rollover size and time configured as mentioned in my previous reply.

Regards,

Libin