IBM Security QRadar

Hello

We are running a script that outputs the results in standard syslog rfc format. I currently use logger to send it to one of the managed hosts, upon checking the results in log activity though, it appears to be hitting the custom rule engine of that managed host. What can I do so it hits the event processor - this way I can create a custom dsm.

Thanks in advance.

------------------------------
QRD
------------------------------

Hello QRD,

When you are saying "custom rule engine of that managed host" do you mean custom rule engine log source ? if yes then, make sure you have differentiating identifier added in logger which can help you identify those logs. Later create new custom log source with Universal DSM with same identifier. so that those events will get mapped to new log source.

------------------------------
Vishal Tangadkar
IBM Software Support
IBM INDIA PVT LTD
------------------------------

Original Message:
Sent: Sun April 28, 2024 10:35 PM
From: QRD
Subject: custom script running on managed host.

Hello

We are running a script that outputs the results in standard syslog rfc format. I currently use logger to send it to one of the managed hosts, upon checking the results in log activity though, it appears to be hitting the custom rule engine of that managed host. What can I do so it hits the event processor - this way I can create a custom dsm.

Thanks in advance.

------------------------------
QRD
------------------------------

Hi Vishal

The messages (output of the script) appear to be logged by "Custom Rule Engine-8" Log source and "Custom Rule Engine Message". Each message is tagged e.g. MyScript123. I followed your suggestion i.e. create a new log source - log src type=universal dsm, log source identifier MyScript123 - Deploy. Re-ran the script but the message still appears as "Custom Rule Engine Message" from Custom Rule Engine-8 log source. What am I doing wrong?

------------------------------
QRD
------------------------------

Original Message:
Sent: Tue April 30, 2024 02:27 AM
From: Vishal Tangadkar
Subject: custom script running on managed host.

Hello QRD,

When you are saying "custom rule engine of that managed host" do you mean custom rule engine log source ? if yes then, make sure you have differentiating identifier added in logger which can help you identify those logs. Later create new custom log source with Universal DSM with same identifier. so that those events will get mapped to new log source.

------------------------------
Vishal Tangadkar
IBM Software Support
IBM INDIA PVT LTD

Original Message:
Sent: Sun April 28, 2024 10:35 PM
From: QRD
Subject: custom script running on managed host.

Hello

We are running a script that outputs the results in standard syslog rfc format. I currently use logger to send it to one of the managed hosts, upon checking the results in log activity though, it appears to be hitting the custom rule engine of that managed host. What can I do so it hits the event processor - this way I can create a custom dsm.

Thanks in advance.

------------------------------
QRD
------------------------------