IBM QRadar

Hi to everyone,

I am wondering the reason of the word that saying undocumented when selecting protocol while Custom DSM is selected.

And there is a message as you can see at the yellow bar: This log source uses an undocumented protocol. IBM Support cannot troubleshoot problems with receiving event data.

Is there a way to fix the undocumented message? What is it caused from?
Is it supported, logical to create a Custom DSM for custom log sources? or is it best to select Universal DSM at every time?

Thank you for all of you for sharing your knowledge.

Regards.

------------------------------
Halil BALIM
------------------------------

Hi Halil,

This message is not something to be concerned about. A similar message appears for IBM-provided log source types if you selected an undocumented protocol option when configuring a log source. The purpose of the message is just to highlight the fact because you're dealing with a custom log source type, the Support team won't have any experience with configuring that type of log source in that way, so any challenges with configuring the 3rd-party side of the integration or determining what protocol parameters to enter are up to you to figure out. If you hit some kind of code defect when trying to use a log source of a custom type or an undocumented protocol configuration, support can help you, but if it's config-related they have no experience or documentation to assist with. Likewise it's up to you as the end user to do any parsing customization in the DSM Editor, it is not Support's role to do this for you since it's a custom type.

The same support limitations apply to Universal DSM - because it's custom, it's up to you to figure out. But it's definitely better to use a custom log source type than Universal DSM, we only keep Universal DSM around for backwards compatibility. Having a custom type allows other content (custom properties, rules, searches, reports, etc) to be linked directly to one particular custom log source type. This is better than creating content for "Universal DSM" because if you have multiple custom types all represented as Universal DSM then those custom properties, rules, searches, etc all execute for all that custom data instead of for just the events you mean for it to.

Cheers
Colin

------------------------------
COLIN HAY
------------------------------

Original Message:
Sent: Mon March 30, 2020 06:15 AM
From: Halil BALIM
Subject: Custom DSM's undocumented protocols.

Hi to everyone,

I am wondering the reason of the word that saying undocumented when selecting protocol while Custom DSM is selected.

And there is a message as you can see at the yellow bar: This log source uses an undocumented protocol. IBM Support cannot troubleshoot problems with receiving event data.

Is there a way to fix the undocumented message? What is it caused from?
Is it supported, logical to create a Custom DSM for custom log sources? or is it best to select Universal DSM at every time?

Thank you for all of you for sharing your knowledge.

Regards.

------------------------------
Halil BALIM
------------------------------

Hi Colin,

Thank you for your clear explanation.

Regards.

------------------------------
Halil BALIM
------------------------------

Original Message:
Sent: Tue March 31, 2020 01:49 PM
From: COLIN HAY
Subject: Custom DSM's undocumented protocols.

Hi Halil,

This message is not something to be concerned about. A similar message appears for IBM-provided log source types if you selected an undocumented protocol option when configuring a log source. The purpose of the message is just to highlight the fact because you're dealing with a custom log source type, the Support team won't have any experience with configuring that type of log source in that way, so any challenges with configuring the 3rd-party side of the integration or determining what protocol parameters to enter are up to you to figure out. If you hit some kind of code defect when trying to use a log source of a custom type or an undocumented protocol configuration, support can help you, but if it's config-related they have no experience or documentation to assist with. Likewise it's up to you as the end user to do any parsing customization in the DSM Editor, it is not Support's role to do this for you since it's a custom type.

The same support limitations apply to Universal DSM - because it's custom, it's up to you to figure out. But it's definitely better to use a custom log source type than Universal DSM, we only keep Universal DSM around for backwards compatibility. Having a custom type allows other content (custom properties, rules, searches, reports, etc) to be linked directly to one particular custom log source type. This is better than creating content for "Universal DSM" because if you have multiple custom types all represented as Universal DSM then those custom properties, rules, searches, etc all execute for all that custom data instead of for just the events you mean for it to.

Cheers
Colin

------------------------------
COLIN HAY

Original Message:
Sent: Mon March 30, 2020 06:15 AM
From: Halil BALIM
Subject: Custom DSM's undocumented protocols.

Hi to everyone,

I am wondering the reason of the word that saying undocumented when selecting protocol while Custom DSM is selected.

And there is a message as you can see at the yellow bar: This log source uses an undocumented protocol. IBM Support cannot troubleshoot problems with receiving event data.

Is there a way to fix the undocumented message? What is it caused from?
Is it supported, logical to create a Custom DSM for custom log sources? or is it best to select Universal DSM at every time?

Thank you for all of you for sharing your knowledge.

Regards.

------------------------------
Halil BALIM
------------------------------