IBM QRadar

The custom parser is for the log source you are doing the uDSM for.
DSM Tutorial Part One (Jan 24 2018) https://youtu.be/LRhNMejQFNM
QRadar DSM Editor Tutorial in less than 10 minutes https://youtu.be/KF40bba_kp0 QRadar

------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA
------------------------------

Original Message:
Sent: Thu April 18, 2019 02:58 PM
From: Jason Granger
Subject: DSM Editor

I have a simple question:

 

If I were to parse a custom field from a particular log source, is this type of action reverted back to all logs?  Or only new logs sent from the particular log source?

 

Regards,

Jason

Customization of existing log source by adding extra field would be for the specific log source only

------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA
------------------------------

Original Message:
Sent: Thu April 18, 2019 02:58 PM
From: Jason Granger
Subject: DSM Editor

I have a simple question:

 

If I were to parse a custom field from a particular log source, is this type of action reverted back to all logs?  Or only new logs sent from the particular log source?

 

Regards,

Jason

From what I can observe any change to a parsing expression for a custom field will only apply going forward.  Parsing takes place during the ingress process, and once stored logs are not re-parsed.

Now I was not 100% sure of this so I checked a change I made to a custom property, and noticed that logs prior to that were in the older format, and only logs ingested after the change was made had the new format.

------------------------------
James Hewitt
QRadar Log Content Manager
Dish
------------------------------

Original Message:
Sent: Thu April 18, 2019 02:58 PM
From: Jason Granger
Subject: DSM Editor

I have a simple question:

 

If I were to parse a custom field from a particular log source, is this type of action reverted back to all logs?  Or only new logs sent from the particular log source?

 

Regards,

Jason

Hi Jason,

here are the results you're looking for.
(Test done on versions 7.3.0 patch7 and 7.3.1 patch8)

When you edit a log source type with the DSM editor, it creates a new log source extension (LSX), e.g. IOS_ext. Afterwards,it's associated to every log source of that type in your database, unless some of them already have a LSX association. In that case, it's not overwritten. Note that the DSM editor forces this new LSX created from the DSM editor to be default for the type you modified, therefore all new log sources will be parsed using this new LSX.

To answer you question in a one liner -> Yes it will change all your log sources of the same type, unless they already have a LSX association.

I've tested on the latest patches of 7.3.0 and 7.3.1, but I'm pretty sure it's the samething for any patch releases in these versions. I can't speak for 7.2.8.

Good luck with your project!

------------------------------
Anthony Gayadeen
Analyst
Videotron
QC
------------------------------

Original Message:
Sent: Thu April 18, 2019 02:58 PM
From: Jason Granger
Subject: DSM Editor

I have a simple question:

 

If I were to parse a custom field from a particular log source, is this type of action reverted back to all logs?  Or only new logs sent from the particular log source?

 

Regards,

Jason