Well, in my lab these unreadable "Stored" messages are rather intensive, so I am using Routing rules to drop them for now - but I would be quite undecided what to do if it were in some of my clients' environments.
------------------------------
Dusan VIDOVIC
------------------------------
Original Message:
Sent: Wed September 17, 2025 08:26 AM
From: Ralph Belfiore
Subject: CRE logs unreadable after upgrade to QRadar UP13
Hey Dusan, nope.. I still can see a couple of those unusable stuff.. as well after UP13IF02 applied. Just a couple but some a day..
Because of that less amount currently I just "ignore" them .. still :)
Regards,
Ralph
------------------------------
Ralph Belfiore
Managing Consultant | SIEM Security Strategy & Data Resilience
connecT SYSTEMHAUS AG
Siegen
Original Message:
Sent: Wed September 17, 2025 04:21 AM
From: Dusan VIDOVIC
Subject: CRE logs unreadable after upgrade to QRadar UP13
Ralph, were you able to track / resolve the cause of this behaviour? I still have the same unreadable stuff appearing after applying UP13IF02.
------------------------------
Dusan VIDOVIC
Original Message:
Sent: Wed August 27, 2025 07:59 AM
From: Ralph Belfiore
Subject: CRE logs unreadable after upgrade to QRadar UP13
Hi,
if you mean something like this from "Custom Rule Engine-8":
I agree, this seems to be "new" :( and also shows up with UP13 IF01.
Regards,
Ralph
------------------------------
Ralph Belfiore
Managing Consultant | SIEM Security Strategy & Data Resilience
connecT SYSTEMHAUS AG
Siegen
Original Message:
Sent: Tue August 26, 2025 07:15 AM
From: Ökkes Güngör
Subject: CRE logs unreadable after upgrade to QRadar UP13
After upgrading to UP13, the built-in log source "Custom Rule Engine-8 " started generating events with unreadable binary/unparsed payloads. These logs were not present before the upgrade and now create noise in Log Activity.
What is the recommended solution or fix for this issue?
------------------------------
Ökkes Güngör
------------------------------