We have a customized DSM for CheckPoint log source, where we are collecting Admin logs, for most of the CheckPoint GAIA Embedded log sources, we are getting logs as Unknown. While checking in DSM editor, it is showing as Parsed and Mapped, but there is no logs in the log source. What could be the issue?

Hello Arul,

Check if you have done the QID mapping correctly. Follow :

https://www.ibm.com/support/pages/creating-custom-dsm

Thanks,

Ashish

Hello Arul.

This could be also helpful for event parsing.

QRadar Parsing - Introduction

https://www.youtube.com/watch?v=MP6grxJvxn0

QRadar DSM Editor Tutorial Part One

https://www.youtube.com/watch?v=LRhNMejQFNM

QRadar DSM Editor Tutorial in less than 10 minutes

https://www.youtube.com/watch?v=KF40bba_kp0

QRadar Parsing - Stored and Unknown

https://www.youtube.com/watch?v=GgPW5OVwoMY

Thanks.

Brian.

Hello Arul,

did you solve your issue? I have a similar problem. In DSM the events are Status: "Parsed and mapped", Event ID, Event Category and Event Name are filled out, but in Log view EventID and Event Category are shown as "N/A". In Event Detail view they are shown as "null". I discovered that problem because Identity Information was nut updated. The DSM i used i had to do an overwrite for the EventID because it was not parsed in the original DSM. I did an overwrite of the Event Category and then the Identity information was working at least, but Event ID and Event Category are still null. The event Name is correct and i also did a remapping to a newly created QID the event name changes correctly but the problem with the Event ID and Category persists.

Thanks

Martin