IBM Security QRadar

Hi,

I am not receiving proper events for an offense from Linux logs.  

The offense is getting for the below event

<86>Mar  9 15:32:49 abcd sshd[27574]: input_userauth_request: invalid user ${jndi [preauth]

But the proper event is

<86>Mar  9 15:32:49 abcd sshd[27574]: Invalid user ${jndi from 10.x.x.71 port 12776

Offense Events:

Both source and destinations are same

<86>Mar  9 15:32:49 abcd sshd[27574]: input_userauth_request: invalid user ${jndi [preauth]

Search events:

<86>Mar  9 15:32:49 abcd sshd[27574]: Invalid user ${jndi from 10.x.x.71 port 12776

I can see both events in the search, but it does not capture them as events in the offense.

How can I tune to get the exact event for alert, please anyone assist to get this issue resolved.

Thanks

• Bug - fixed in 7.5.0 UP4 IF1
• IJ45191: OFFENSE SUMMARY PAGE EVENT/FLOW COUNT FIELD DOES NOT MATCH THE EVENT COUNT IN LOG ACTIVITY

Hi,

I am not receiving proper events for an offense from Linux logs.  

The offense is getting for the below event

<86>Mar  9 15:32:49 abcd sshd[27574]: input_userauth_request: invalid user ${jndi [preauth]

But the proper event is

<86>Mar  9 15:32:49 abcd sshd[27574]: Invalid user ${jndi from 10.x.x.71 port 12776

Offense Events:

Both source and destinations are same

<86>Mar  9 15:32:49 abcd sshd[27574]: input_userauth_request: invalid user ${jndi [preauth]

Search events:

<86>Mar  9 15:32:49 abcd sshd[27574]: Invalid user ${jndi from 10.x.x.71 port 12776

I can see both events in the search, but it does not capture them as events in the offense.

How can I tune to get the exact event for alert, please anyone assist to get this issue resolved.

Thanks

Hi Prabir,

Thanks for the response.  But the provided link has a different issue not mine.

• Bug - fixed in 7.5.0 UP4 IF1
• IJ45191: OFFENSE SUMMARY PAGE EVENT/FLOW COUNT FIELD DOES NOT MATCH THE EVENT COUNT IN LOG ACTIVITY

Hi,

I am not receiving proper events for an offense from Linux logs.  

The offense is getting for the below event

<86>Mar  9 15:32:49 abcd sshd[27574]: input_userauth_request: invalid user ${jndi [preauth]

But the proper event is

<86>Mar  9 15:32:49 abcd sshd[27574]: Invalid user ${jndi from 10.x.x.71 port 12776

Offense Events:

Both source and destinations are same

<86>Mar  9 15:32:49 abcd sshd[27574]: input_userauth_request: invalid user ${jndi [preauth]

Search events:

<86>Mar  9 15:32:49 abcd sshd[27574]: Invalid user ${jndi from 10.x.x.71 port 12776

I can see both events in the search, but it does not capture them as events in the offense.

How can I tune to get the exact event for alert, please anyone assist to get this issue resolved.

Thanks