IBM QRadar

 View Only

  • 1.  Qradar using Default Event-Mapping

    Posted Fri October 11, 2024 02:29 PM
      |   view attached

    Hello,
    Created new LogSource - "QRadar Collector Monitor"
    It receiving logs from Python script in console, which checking SSH connectivity between console and Event Processors.

    Log example:
    <14>soc-nvd-metrics INFO:check_ssh_connectivity.py:74 - 2024-10-11 11:50:01,759 - Host VTM (SOCS0000033) | (192.168.5.72) SSH Domain:(VTM) Connection Status: Inactive

    Created new Log Source Type - "QRadar Collector Monitor - TETv2" and parsed and mapped all properties. 

    Issue - Qradar using Default Event-Mapping, and store incoming events. Why it not using created Event-Mapping ?

    For example - After added new property - 'Source IP', which should be 127.0.0.1, in Log Activity Source IP still is 255.255.255.255

    So basically Log Source using appropriate Log Source Type, but not showing any of in DSM created properties. 



    ------------------------------
    Vladislavs Lipskis
    ------------------------------


  • 2.  RE: Qradar using Default Event-Mapping

    Posted 5 days ago

    Hello,

    Please review the following for stored events:
    https://community.ibm.com/community/user/security/blogs/saket-nimdeokar/2024/11/13/qradar-understanding-different-types-of-events

    This is stating that the DSM is unable to parse as you have stated correctly and cannot extract an eventId. 
    Have you reviewed the payload within the DSM editor for this log source type. 
    https://www.youtube.com/watch?v=AehZBxvEX5A



    ------------------------------
    Comghall Morgan
    QRadar Support Architect
    IBM
    ------------------------------

    Original Message