IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

What are major differences between DSM Editor and Log source extension(LSX) in IBM Qradar ?

  • 1.  What are major differences between DSM Editor and Log source extension(LSX) in IBM Qradar ?

    Posted Wed August 02, 2023 09:54 AM

    What are major differences between DSM Editor and Log source extension(LSX) in IBM Qradar ?

    Team please clarify



    ------------------------------
    TAPAS KUMAR BARIK
    ------------------------------


  • 2.  RE: What are major differences between DSM Editor and Log source extension(LSX) in IBM Qradar ?

    Posted Tue August 08, 2023 04:31 PM

    A Log Source Extension is an XML file that outlines how QRadar should parse events for specific fields from an event payload. You can think of an LSX as either a whole DSM that tells QRadar how to parse incoming data for a certain Log Source Type or an LSX can be used to adjust parsing as an override for an existing Log Source Type. For example, your DSM needs to use different regex to handle situations were the SourceIP field might use src= for the IP address in one event payload, but then in the next payload it uses computer=. The LSX defines how the event payload is parsed and can handle parsing situations where you need multiple regex patterns to parse events. In the past, users had to write LSX (XML files) by hand. This was time consuming and prone to errors...

    The DSM Editor takes this concept of needing to write and adjust parsing for events and wraps all of the functionality in to a user interface. For example, you can send an event to QRadar, highlight the unparsed event and use that Payload in the DSM Editor to create an override or an entire DSM. The DSM Editor can take multiple payloads, display them in the Workload area, then you can write regex or define LEEF, CEF, or NVPs to highlight and understand what data is captured from the payload visually. The DSM Editor also adds functionality, like allowing users to create custom events (QIDs - event name, description, low level category, and severity), map or remap events to custom values. 

    So, in a nutshell an LSX is an XML file that tells QRadar how to parse an event payload that in the past you would write manually. The DSM Editor is the next step that can help you create custom log sources, visualize parsing, or create and map events in a user interface.

    I think the easier way to think of it is like this...
    - An LSX is a flat file on how to parse event data.
    - The DSM Editor is like a development interface (IDE) for your event data. 



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message


Related Content