IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Unable to parse logs from Ubuntu machine ,but can parse other Linux logs

  • 1.  Unable to parse logs from Ubuntu machine ,but can parse other Linux logs

    Posted Thu August 10, 2023 05:11 AM
      |   view attached

    Unable to parse logs from Ubuntu machine ,but can parse other Linux logs ,could someone please help me with what DSM to be used or the process to be followed



    ------------------------------
    Sugandhini PS
    ------------------------------


  • 2.  RE: Unable to parse logs from Ubuntu machine ,but can parse other Linux logs

    Posted Fri August 11, 2023 03:39 AM

    It is hard to tell without viewing the payload. Generally, SIM Generic would appear when the ingested content is not in a form that would be recognized automatically by QRadar to create the appropriate log source. If you created a log source but logs still go to SIM Generic, then you probably used a wrong log source identifier. Compare the payload from Ububtu to what comes in from other Linux log sources that behave correctly. I recall having an Ubuntu-based system with auditd installed and logging was OK at the time.



    ------------------------------
    Dusan VIDOVIC
    ------------------------------

    Original Message