In the event payload it is almost always possible to add fields after the payload. One example is X-Forwarded-For, it is almost always added after the other built in fields in a web servers log. You will have to custom parse it or extract it via the DSM editor. Watch the event size though. UDP syslog is limited by a payload of 1500 bytes or so, TCP can be much larger, but you also have to set the maximum size expected in the QRadar Admin\Setup, do not go over 32K as Ariel doesn't do well with larger payloads. If you have WAF like F5 you will need a huge payload as the headers and all can be large.
For flows, I do not think it is possible to add anything. I'm not sure it would be technically possible for the collection devices to add anything to payloads. You have to think of it as a PCAP. There is often metadata available such as QNI adds, but that is different than the flow payload.
------------------------------
Frank Eargle
------------------------------
Original Message:
Sent: Tue November 16, 2021 09:59 AM
From: Michail Christof
Subject: Add custom content(Text) to the payload from Qradar UI
Hi Community,
It is possible to add any custom content(Text) to the payload from Qradar UI.
For example, I want to add "Hostname" or "IP" after time in the payload.
I faced an issue with log source identifier in the Qradar.
Kind Regards,
Michail
------------------------------
Michail Christof
------------------------------