IBM Security QRadar

Expand all | Collapse all

Replace Strings In Custom Property

  • 1.  Replace Strings In Custom Property

    Posted Mon August 31, 2020 09:00 AM
    Dear Community,

    I have a log source that sends urls to QRadar. Those urls contain a query part, i.e.
    Messages are forwarded to QRadar via Syslog in CEF-Format. The equals sign has a special meaning in  CEF (key-value-separator). Therefore the CEF-forwarder escapes them with a backslash. The resulting string would be\=1234.
    In my custom DSM I do capture the string via regex and assign it (including the backslash) to a custom propery. How can I achieve to remove the backslash from the property value?

    Many thanks in advance for your help.

  • 2.  RE: Replace Strings In Custom Property

    Posted Fri September 11, 2020 08:51 AM
    I've seen some fields need \\ instead of \ in that type of scenario.  I recommend you try each in the DSM editor and see what returns the proper regex.  Then put that in your LSX.

    Frank Eargle