IBM QRadar

My network team has configured some network devices to forward logs to me via syslog, these are juniper devices. unfortunately the system has recognized some of them as cisco devices

now i have about 500 devices under the log source type as Cisco IOS, instead of Juniper junos OS platform. this has happened before also but at those times it was just a couple of devices so i fixed them manually, now however there a 500+ devices that need to be fixed.

i have the log source management app installed but even with that as far as i am aware i can only fix the name and description only but not the log source type. is there any automated way i can do this instead of having to do 500 devices manually

i am hoping someone can atleast direct me towards the right direction, table names etc because i cant seem to find much information about this online.

PS: already opened a case with support about this and they came back after a few days saying this requires too much custom script beyond our scope, you will need to engage Professional services.

My final idea, if i am not able to fix this through psql, is to just delete all the cisco log sources, turn off cisco dsm and hopefully when a log comes they get recognized as juniper

If you have Log Source Management app v6.0 or later, you should be able to modify a Log Source Type from Cisco IOS to Juniper Junos OS. However, you cannot do it as a bulk edit.

Before you modify the log sources, did you try changing the parsing order to add Juniper Junos OS above Cisco IOS? I'm not sure if support already advised that you make that change, but I would start with updating the parsing order. You do not want new events to categorize against Cisco IOS in the future, but not sure if the root of the parsing issue was fixed before support advised you to update your Log Source Type. There is likely a really close match or something in the payload changes and Cisco IOS is likely higher in the parsing order list than Juniper Junos.

There is an option in the LSM app on an advanced tab to disable automatic discover for a log source, if you do not have Cisco IOS devices in your network. However, it would be better to update the parsing order first or get support to tell you WHY the event is incorrectly being assigned to the wrong log source type. It is not uncommon for users to report issues where log sources can get incorrectly assigned to the wrong type as the payloads are very similar or a change occurred on a product. Development would review this issue from provided example payloads.

I would highly recommend you NOT attempt to make these change via psql, it is a multi-step process and can get complicated. It is possible to bulk edit in psql and in the QRadar API, but it is not something support typically handles and can get really complicated. This is why you were directed to Security Expert Labs (professional services).

Questions

• What actions were taken in your case?
• Did support provide a description as to why the event is being categorized under the wrong log source type?
• Did support disable Cisco IOS auto discovery for you?

Actions

I think you will need to edit these manually unfortunately. However, you want to ensure you don't have to do it again in the future and could not tell from your post if there was a solution provided. Be aware, if you do not see your changes in the UI after you change the Log Source Type, you might need to restart tomcat to get the changes applied after you use the LSM app and update the log source type. This is an issue we've reported to development, which is under investigation.

If you want to email me with your case number, I can take a look at this further to understand actions completed. You can reach out to me at: jonathan.pechta1Support Member

I had to flag this post and edit it to get the contents to format the bulleted list correctly. If you saw your post being flagged, it was due to me flagging my reponse.

The LSM and Tomcat issue I mentioned is logged, in case you want to be notified when the issue is fixed. https://www.ibm.com/support/pages/apar/IJ33113

Thanks alot jonathan for your detailed and descriptive response. unless i am misunderstanding parsing order, they apply specifically to a single log source when you are receiving multiple types from logs from it and ordering would fix its recognition. but for me i am only receiving 1 type of logs from each of these sources. once i am changing it to juniper manually, it is not again creating another log source for Cisco or miscategorizing the logs.

If there is a way to globally define in QRadar to first always try juniper dsm before cisco, please do let me know.

i guess for me i am just going to disable cisco dsm and delete all the log sources and let them get recognized again, hopefully they will get categorized properly and go from there.

As for your question about support, unfortunately they did not suggest any of those activities, they just came back with contact PS