IBM QRadar

Hi all, 

So I've downloaded the QRadar community edition and I'm trying to understand how it works. 

As my first test after installing it is that I installed the Log Source Management plugin and I want to consume syslog messages pushed from a Juniper vSRX. 

I set up a single log source with the hostname of the device as the unique identifier


However all the events are being recorded as: Juniper Networks Routing Platform Message


So for example if I have this syslog message:

<27>Apr 6 16:51:58 <MyDeviceHostname> rmopd[27262]: RMOPD_ICMP_SENDMSG_FAILURE: sendmsg(ICMP): No route to host

It gets parsed incorrectly as an IDP event
And this happens to every event that occurs

However when I open the extract properties option there is this browse event name option:

So I think it's unreasonable for me to set the format correctly for every message. 
Any ideas why it's not parsing the message correctly? Is there some configuration I've missed? 

I'm assuming it's matching the incorrect QID as seen below from the same event:


------------------------------
Jonathan Nakandala
------------------------------

So I've tried to investigate a bit more and looked closer at the config guide here: https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/t_DSM_guide_Juniper_Junos_cfg.html

this is the device syslog config:

The format of the syslog has changed:

<30>1 2020-04-07T18:52:56.708+08:00 <MyDeviceHostname>  rmopd 27262 PING_PROBE_FAILED [junos@2636.1.1.1.2.129 test-owner="lbo-probe-62.25.73.65-local" test-name="test-icmp-62.25.73.65"]

But they're still not being picked up properly, it's recognising it as a :Juniper Networks Routing Platform Stored Event



------------------------------
Jonathan Nakandala
------------------------------

Original Message:
Sent: Mon April 06, 2020 05:35 AM
From: Jonathan Nakandala
Subject: Juniper SRX syslog messages types not being correctly detected

Hi all, 

So I've downloaded the QRadar community edition and I'm trying to understand how it works. 

As my first test after installing it is that I installed the Log Source Management plugin and I want to consume syslog messages pushed from a Juniper vSRX. 

I set up a single log source with the hostname of the device as the unique identifier

However all the events are being recorded as: Juniper Networks Routing Platform Message

So for example if I have this syslog message:

<27>Apr 6 16:51:58 <MyDeviceHostname> rmopd[27262]: RMOPD_ICMP_SENDMSG_FAILURE: sendmsg(ICMP): No route to host

It gets parsed incorrectly as an IDP event
And this happens to every event that occurs

However when I open the extract properties option there is this browse event name option:

It does have the correct message type:

So I think it's unreasonable for me to set the format correctly for every message. 
Any ideas why it's not parsing the message correctly? Is there some configuration I've missed? 

I'm assuming it's matching the incorrect QID as seen below from the same event:

------------------------------
Jonathan Nakandala
------------------------------