IBM Security QRadar

Hello All!

We have a envirorment using DLC to Foward default syslog TCP e UDP to Qradar and it´s really works fine. Servers -> DLC(514/UDP or TCP) -> Qradar.
But now is necessary use the DLC server to trate TCP Multiline Syslog too. So we use the IBM DLC Guide, we had configured and added the new log source in logSources.json file the script test runs without any errors, de firewalls rules of DLC was ajusted and the source server can estabilishe conexão with the TCP Multiline port open in DLC server.
But when we send logs to DLC in TCP multiline port the logs are seen in TCP dump incoming in DLC, but the logs aren´t fowarded to Qradar.
Anyone more had the same problema and get resolve it?

Thank you in advance.

------------------------------
Rodrigo Teixeira
------------------------------

I would guess that DLC can't find the either the startRegex or the endRegex in order to put the payloads together. What do those entries look like in your logSources.json file?

------------------------------
Mario Palombo
------------------------------

Original Message:
Sent: Fri April 30, 2021 10:12 AM
From: Rodrigo Teixeira
Subject: Problems when try using DLC to collect TCPMultiline logs

Hello All!

We have a envirorment using DLC to Foward default syslog TCP e UDP to Qradar and it´s really works fine. Servers -> DLC(514/UDP or TCP) -> Qradar.
But now is necessary use the DLC server to trate TCP Multiline Syslog too. So we use the IBM DLC Guide, we had configured and added the new log source in logSources.json file the script test runs without any errors, de firewalls rules of DLC was ajusted and the source server can estabilishe conexão with the TCP Multiline port open in DLC server.
But when we send logs to DLC in TCP multiline port the logs are seen in TCP dump incoming in DLC, but the logs aren´t fowarded to Qradar.
Anyone more had the same problema and get resolve it?

Thank you in advance.

------------------------------
Rodrigo Teixeira
------------------------------