IBM Security QRadar

 View Only
  • 1.  DSM count on Event Processor

    Posted Mon February 22, 2021 01:28 PM
    Hello experts,

    I have an AIO qradar console and and Event processor both running 7.4.1 FP 1. I wanted to see the number of DSM on both console and Event processor.

    I ran "rpm -qa | grep -i dsm" on both console and EP, i was expecting to see the same DSMs on both appliances, however on my console i saw a lot of DSMs, while none on my EP.

    I thought the Console is meant to update the EP with the DSMs. 

    Regards,

    ------------------------------
    benjamin Nworah
    ------------------------------


  • 2.  RE: DSM count on Event Processor

    IBM Champion
    Posted Mon February 22, 2021 01:45 PM
    Hello Benjamin,

    DSMs are only managed by the console.

    Regards,
    Ralph

    ------------------------------
    Ralph Belfiore
    IT Security Senior Consulting
    pro4bizz GmbH
    Karlsruhe
    +49 721 90981720
    ------------------------------



  • 3.  RE: DSM count on Event Processor

    Posted Mon February 22, 2021 04:30 PM
    Hello Ralph,

    Thanks for the feedback

    The EP performs normalization(parsing) using the regex within DSM right? Why then will an EP has no DSM?

    Regards,

    ------------------------------
    benjamin Nworah
    ------------------------------



  • 4.  RE: DSM count on Event Processor

    Posted Tue February 23, 2021 10:58 AM
    Hello Benjamin,

    EPs do not have the DSM rpms installed, but the DSM JAR files (and any other needed artifacts) are there. Rpms are only installed on the console. Deploy actions run from the Admin tab will cause any artifacts installed on the console to be distributed to managed hosts (ECs, EPs, etc) as needed. So it's normal to see no DSM rpms installed on EPs, but the DSM code will be there.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 5.  RE: DSM count on Event Processor

    Posted Tue February 23, 2021 11:04 AM
    Hello Collin,

    Thank you so much for this beautiful insight.

    Please i have sent you the payload of the force-point device discussed on my other post to your linkedin. Please do check.

    Regards,

    ------------------------------
    benjamin Nworah
    ------------------------------