IBM QRadar

Hello QRadar Community,

I'm reaching out to seek insights and guidance on specific challenges I'm facing with IBM QRadar SIEM, particularly regarding Open LDAP logs and log parsing.

1. Combining Open LDAP Logs into One Event Based on a Unique Connection ID: I am working with Open LDAP logs and am looking to enhance the way these logs are handled in QRadar. The goal is to combine multiple log entries into a single event based on a unique connection ID. I believe this would streamline the analysis process. I'm looking for advice on how best to implement this in QRadar, whether through custom rules or leveraging existing features. Any experiences or suggestions on this would be greatly appreciated.

2. Log Parsing Issue for a Specific Log Source: I'm encountering an issue where some log entries from a specific log source are not searchable in QRadar. However, I have confirmed that these logs are indeed arriving at the SIEM, as evidenced by a tcpdump. What puzzles me is why these specific logs are not being parsed or indexed correctly, making them unsearchable within the platform. Are there known issues or troubleshooting steps that could help resolve this? Any tips for diagnosing and correcting log parsing issues in QRadar, especially when it comes to ensuring complete log visibility, would be very helpful.

I'm looking forward to any suggestions, tips, or shared experiences that could assist in resolving these issues. Your input is invaluable.

I've found a solution in the meantime. Funny that nobody gave a hint to use multiline syslog, in order to combine LDAP events based on the connection ID. Really helpfull here, i must say...