IBM QRadar

Hello! I'm currently working on integrating a Microsoft Exchange Server with QRadar. I successfully added a new Log Source and provided the necessary configuration parameters. However, I encountered an error during the test phase: "Error: Array index out of range: 0." I would greatly appreciate any assistance in understanding the cause of this error and finding a solution. Additionally, although I am receiving events from the Exchange Server, they are all unparsed, which is unexpected since QRadar typically provides an out-of-the-box DSM for Exchange Server integration. Any guidance on resolving this issue would be highly valued.

------------------------------
Dany El-Nghaywe
------------------------------

This issue is also being discussed here: https://www.reddit.com/r/QRadar/comments/14fdsy9/microsoft_exchange_server/.

I believe that this issue is due to the LSM app's test tool always attempts to run paths for SMB connections, even if a path is left blank intentionally. As mentioned in the Reddit thread, I think this might be a logged issue, but need to dig further. I think the expectation or summary here is that the UI does not force you to fill in all folder paths, so then why does the test tool attempt to run a connection check on a path that knowingly does not exist or was left intentionally blank? 

Looking in to this further....

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------

Original Message:
Sent: Wed June 21, 2023 05:42 PM
From: Dany El-Nghaywe
Subject: Microsoft Exchange Server

Hello! I'm currently working on integrating a Microsoft Exchange Server with QRadar. I successfully added a new Log Source and provided the necessary configuration parameters. However, I encountered an error during the test phase: "Error: Array index out of range: 0." I would greatly appreciate any assistance in understanding the cause of this error and finding a solution. Additionally, although I am receiving events from the Exchange Server, they are all unparsed, which is unexpected since QRadar typically provides an out-of-the-box DSM for Exchange Server integration. Any guidance on resolving this issue would be highly valued.

------------------------------
Dany El-Nghaywe
------------------------------

Hi dear,

I wanted to bring to your attention the issue regarding the handling of MSGTRK logs in QRadar. We resolved the "Array index out of range" problem by adding the path for these logs.

When testing the log source, I get several warnings regarding the pattern. Some logs files could not be found in specific locations with the default pattern that QRadar is using (screenshots attached).

Furthermore, when reviewing the events for this log source, only MSGTRK events are being successfully parsed. On the other hand, OWA and SMTP events are appearing as unknown which is really strange (screenshots attached).

The client mentioned that MSGTRK logs are relatively small in size, whereas both OWA and SMTP logs are approximately 1.5 GB each. Is it possible that QRadar is unable to process and parse these logs due to their large size? Could this be a sizing issue?

Additionally, the client confirmed that they have not made any customizations to their logs and that these are the default logs.

Given this situation, I would appreciate your guidance on the appropriate steps to take.

Thank you.

------------------------------
Dany El-Nghaywe
------------------------------

Original Message:
Sent: Thu June 22, 2023 03:58 PM
From: Jonathan Pechta
Subject: Microsoft Exchange Server

This issue is also being discussed here: https://www.reddit.com/r/QRadar/comments/14fdsy9/microsoft_exchange_server/.

I believe that this issue is due to the LSM app's test tool always attempts to run paths for SMB connections, even if a path is left blank intentionally. As mentioned in the Reddit thread, I think this might be a logged issue, but need to dig further. I think the expectation or summary here is that the UI does not force you to fill in all folder paths, so then why does the test tool attempt to run a connection check on a path that knowingly does not exist or was left intentionally blank? 

Looking in to this further....

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Wed June 21, 2023 05:42 PM
From: Dany El-Nghaywe
Subject: Microsoft Exchange Server

Hello! I'm currently working on integrating a Microsoft Exchange Server with QRadar. I successfully added a new Log Source and provided the necessary configuration parameters. However, I encountered an error during the test phase: "Error: Array index out of range: 0." I would greatly appreciate any assistance in understanding the cause of this error and finding a solution. Additionally, although I am receiving events from the Exchange Server, they are all unparsed, which is unexpected since QRadar typically provides an out-of-the-box DSM for Exchange Server integration. Any guidance on resolving this issue would be highly valued.

------------------------------
Dany El-Nghaywe
------------------------------