IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Events in SIM Generic Log DSM have Source IP 0.0.0.0 after UP 10 Update

    Posted Wed October 23, 2024 03:33 AM

    Hi everyone,

    I have installed UP 10 on our test system and I noticed that all events in the SIM Generic Log DSM have Source IP 0.0.0.0. On our production system on UP 9 IF 03 all the events there have the sending system's IP as Source IP (as described here).

    I use the Source IP to identify where the events are coming from, especially with malformed events that do not provide any other useful information.

    Did anyone else notice this behaviour as well?

    Best regards
    Simon



  • 2.  RE: Events in SIM Generic Log DSM have Source IP 0.0.0.0 after UP 10 Update

    Posted Wed October 23, 2024 09:41 AM

    Hi Simon,

    I observed the same behavior at our customers' appliances as well after upgrading to UP 10.

    It would be really great to see this fixed.

    Regards

    Martin



    ------------------------------
    Martin O.
    ------------------------------

    Original Message


  • 3.  RE: Events in SIM Generic Log DSM have Source IP 0.0.0.0 after UP 10 Update

    Posted Fri October 25, 2024 04:58 AM

    HI Simon,

    Do these events have an IPv6 address?  Also do these events have a source IP set in the payload?

    What was the behaviour prior to UP10?

    Thanks



    ------------------------------
    John Dawson
    Qradar Support Architect
    IBM
    ------------------------------

    Original Message


  • 4.  RE: Events in SIM Generic Log DSM have Source IP 0.0.0.0 after UP 10 Update

    Posted Fri October 25, 2024 05:26 AM

    Hi John,

    the Source IPv6 is always 0:0:0:0:0:0:0:0. Some of those events have IP addresses in the message part, but not in the Syslog header. I also found some events where the Source IP is correct, in that case the Log Source Identifier is the same IP address. The events without a proper Source IP have a Log Source Identifier which is not an IP address.

    Before the update all events had a proper Source IP, regardless of the Log Source Identifier.

    According to the release notes of UP 10, a feature added was "IPv6 addresses in syslog headers can now be parsed for Log Source IDs.". Maybe this change affected how the Source IP is set?

    Best regards
    Simon



    ------------------------------
    Simon S.
    ------------------------------

    Original Message


  • 5.  RE: Events in SIM Generic Log DSM have Source IP 0.0.0.0 after UP 10 Update

    Posted Fri October 25, 2024 06:41 AM

    Hi Simon,

    There were some changes around IPv6 events in UP10.  I would suggest open a support case so the events which have a source IP and the difference between the previous release and UP10 can be investigated by support.

    Thanks

    John



    ------------------------------
    John Dawson
    Qradar Support Architect
    IBM
    ------------------------------

    Original Message


  • 6.  RE: Events in SIM Generic Log DSM have Source IP 0.0.0.0 after UP 10 Update

    Posted Mon October 28, 2024 08:37 AM

    Yes, if there are IPv6 addresses involved, there is a RFE in progress on it.  I have spoken to some QR Architects about it and saw it is on the QR Roadmap at TechExchange last week.  Lots of times events from cloud sources have no source or destination causing that as well we often use the DSM editor to force blanks to some loopback address  other than 127.0.0.1. 



    ------------------------------
    Frank Eargle
    ------------------------------

    Original Message