QRadar troubleshooting
This section provides information to help you solve problems you might encounter when using Kaspersky CyberTrace with QRadar.
If you encounter a problem while using Kaspersky CyberTrace, the specialists at Kaspersky can assist you. Contact your technical account manager (TAM) for more information about solutions to problems.
Problem: QRadar does not display the events from Feed Service or displays them incorrectly
To solve this problem, try the following actions:
- Make sure that the Feed Service computer is turned on and Feed Service is running.
- Make sure that the Feed Service configuration file contains a correct output connection string and the format of output events conforms to the QRadar LEEF standard.
- Make sure that Feed Service is added to QRadar as a log source.
- Make sure that the QIDs of the Feed Service events are imported to QRadar.
- Make sure that the QIDs are correctly mapped to the Feed Service events.
- Make sure that the QRadar computer is accessible from the Feed Service computer.
- Make sure that the port specified in the output connection string is open.
Problem: Feed Service does not receive events from QRadar
To solve this problem, try the following actions:
- Make sure that the events are forwarded from QRadar to Feed Service and the routing rules are set correctly.
- Make sure that the Feed Service computer is turned on and Feed Service is running.
- Make sure that the QRadar computer is turned on and QRadar is running.
- Make sure that the Feed Service computer is accessible from the QRadar computer.
You can use the
pingutility for this purpose. - Make sure that the port that is specified in the input connection string is open on the Feed Service computer.
You can use the
netcatutility for this purpose. - Check the regular expressions in the Feed Service configuration file or by using the Settings > Events Format tab in Kaspersky CyberTrace Web.
Problem: After Kaspersky Threat Feed App is installed and custom event properties are added, some of these event properties are incorrectly extracted from the detection event context
To solve this problem, try the following actions:
- In QRadar Console, select Admin > Custom Event Properties.
- Locate the custom event properties with the Log Source Type value of Kaspersky CyberTrace by sorting the table by log source type.
- Select the row corresponding to the property that is extracted incorrectly and click Edit.
The Custom Event Property Definition window opens.
- In the Test Field form, paste an example of an event generated by Kaspersky CyberTrace that contains the incorrectly extracted property.
- In the Property Expression Definition pane, in the Extraction section, change the value in the RegEx field from
%property%=([^=]*)(?:\s[^=]+=)to%property%=\[(.*)\], where%property%is the property name. - Click Test to make sure the required part of the event is highlighted in the Test Field form.
- Click Save to apply the changes.
Problem: After Kaspersky Threat Feed App is installed, no chart is displayed
To solve this problem, try the following actions:
- Wait until the data is loaded by QRadar.
Do the same when you change the log source name in the Kaspersky Threat Feed App settings.
Problem: A search cannot be made using Kaspersky Threat Feed App, or the self-test of Kaspersky Threat Feed App fails
To solve this problem, try the following actions:
- Make sure that you have specified the correct value in the
Feed Service Connection Stringsetting of Kaspersky Threat Feed App. - If Kaspersky CyberTrace is installed on the QRadar computer, add the necessary iptables rules, as described in section "Configuring Kaspersky Threat Feed App".
Problem: When you add a new regular expression to the event output format, QRadar extracts the incorrect corresponding value from Kaspersky CyberTrace detection events
To solve this problem, make sure that event fields in a row are separated by a tab character, as required by the LEEF standard.