IBM Security QRadar

In QRadar 741, even though I provided the "Override event delimiter" configuration in DSM Editor and Saved it, I do not see the "Override event delimiter" configuration saved. When I open the DSM again, I find that the "Override event delimiter" configuration value has disappeared. Please help.<o:p></o:p>

Hi Nitesh,

This setting does not persist, it's just for your current session in the DSM Editor. Note that it does not affect how QRadar collects or parses real events as they are obtained, it just affects how the DSM Editor perceives events in the Workspace, and determines how those sample events are used in the Log Activity Preview, to ensure multiline events are treated as a single event instead of broken up into multiple events, one per line.

To change how QRadar actually processes multiline events in realtime, you'd need to use one of the protocol types with support for multiline data, like TCP Multiline Syslog, UDP Multiline Syslog, TLS Syslog or Log File.

Cheers
Colin

In QRadar 741, even though I provided the "Override event delimiter" configuration in DSM Editor and Saved it, I do not see the "Override event delimiter" configuration saved. When I open the DSM again, I find that the "Override event delimiter" configuration value has disappeared. Please help.<o:p></o:p>

Hi Nitesh,

This setting does not persist, it's just for your current session in the DSM Editor. Note that it does not affect how QRadar collects or parses real events as they are obtained, it just affects how the DSM Editor perceives events in the Workspace, and determines how those sample events are used in the Log Activity Preview, to ensure multiline events are treated as a single event instead of broken up into multiple events, one per line.

To change how QRadar actually processes multiline events in realtime, you'd need to use one of the protocol types with support for multiline data, like TCP Multiline Syslog, UDP Multiline Syslog, TLS Syslog or Log File.

Cheers
Colin

In QRadar 741, even though I provided the "Override event delimiter" configuration in DSM Editor and Saved it, I do not see the "Override event delimiter" configuration saved. When I open the DSM again, I find that the "Override event delimiter" configuration value has disappeared. Please help.<o:p></o:p>

Hi Nitesh,

This setting does not persist, it's just for your current session in the DSM Editor. Note that it does not affect how QRadar collects or parses real events as they are obtained, it just affects how the DSM Editor perceives events in the Workspace, and determines how those sample events are used in the Log Activity Preview, to ensure multiline events are treated as a single event instead of broken up into multiple events, one per line.

To change how QRadar actually processes multiline events in realtime, you'd need to use one of the protocol types with support for multiline data, like TCP Multiline Syslog, UDP Multiline Syslog, TLS Syslog or Log File.

Cheers
Colin

In QRadar 741, even though I provided the "Override event delimiter" configuration in DSM Editor and Saved it, I do not see the "Override event delimiter" configuration saved. When I open the DSM again, I find that the "Override event delimiter" configuration value has disappeared. Please help.<o:p></o:p>