Hello Harald,
it seems to be, that the event goes through the parsing section of the pipeline to parse against the properties of this DSM and the text of this specific event and there's something going wrong. The processing seems to be throwing an exception and a qidmap lookup does not occur. Because of that the event is blank and no QID was obtained and just shows "Event 0" as the name.
The low level category is linked to the QID, so it's faulted as well. The showed message about "parsing error" in DSM Editor could be due to, that something else does not fit to parse other properties through the payload.
Maybe there are another dependencies i've not currently covered... It's difficult to specifically advise what to do. Because the log source type is a standard DSM listed in the DSM Guide, maybe it makes sense to open a ticket with ibm support to investigate. Maybe the current applied version of Sophos Astaro Security Gateway comes into place as well...
Hope this is useful.
Regards,
Ralph
------------------------------
Ralph Belfiore
SIEM Expert
pro4bizz GmbH
Karlsruhe
+49 721 90981727
------------------------------
Original Message:
Sent: Thu April 01, 2021 09:16 AM
From: Harald Dunkel
Subject: "Event 0" and "Parsing Failed"
Hello,
we have QRadar 7.4.2 and send Syslog messages from a Sophos UTM 9. The Log Source Type is "Sophos Astaro Security Gateway". AutoUpdate is enabled.
Most of the Events are shown as "Event 0". Does anyone else have this problem?
When I open these events in the DSM Editor there is no "Event ID" recognized. So I try to configure this with Regex (I have already done this successfully with other log sources) and see from the different colors in "Workspace" that it should actually be right. The "Log Activity Preview" shows the correct value in the column "Event ID". But there is still this message "Parsing Failed" in "Parsing Status*". "Generic List" does not work either.
Does anyone know the reason?
Regards,
Harald
------------------------------
Harald Dunkel
------------------------------