IBM QRadar

I am finding that some of my logs are not parsing correctly. I am having to perform an 'Override System Behavior' for most of the properties in the Linux OS DSM.

Most of which have gone pretty well. There are only a few issues with the Source MAC and Destination MAC. This might be my knowledge set with Regex but how do I pull the destination and source mac from the following output?:

MAC=10:98:36:b5:09:b5:7c:25:86:d7:e3:14:08:00

I am currently trying "MAC=(..:..:..:..) for the first address but how would I pull the second address?

My other issue is that even when the DSM editor sees the first MAC address I Regex it does not place the data into Log Activity Preview. I just get a blank data for the MAC address.

Any thoughts? Thank you!

I would also like to add that when I change the DSM editor from Linux OS to Linux iptables Firewall, the properties parse the way that I need it to.

I need to have the Linux OS log source attached to the devices in question, is there a way to join the two log sources to better parse the logs?

Hi Jack,

Have you try "Enable Property Autodetection"?

You can read about this feature here: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_adm_dsm_ed_auto_prop_config.html

If the autodetection works correctly then probably what would you need to do is set the "Property Expression Definition". Here you can found more information: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_LSX_guide_custprop_definition.html

Hope this helps!

I have been trying to do what you suggested but I still need a Regex extraction statement to pull the source mac and dest mac off of the payload. I can't figure out how to do this.

The payload looks like this:

<4>Sep 11 15:35:58 s00-yum7 kernel: FINAL_REJECT: IN=ens192 OUT= MAC=00:50:56:84:55:cc:00:50:56:82:59:40:08:00

The log source is Linux OS. I don't know how to pull the first half of the mac address as my source and the second half as my dest mac, using regex. Maybe there is another way to do this?

Hi Jack,

I just played quick with some regex I had it. You probably need to play a little bit more, but this might be give you an idea. Also this probably no the "best/good practice" for regex, so be careful because it can cause an expensive parsing behavior in QRadar, so I would suggest to test it first (may you can use QRadar CE) and monitoring the behavior.

On the DSM Editor:

Log Source Type: Linux OS

Source MAC

Expression: MAC=(([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}))

Format String: $1

Destination MAC

Expression: (((([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}))))\s

Format String:$1

And it looks like:

Once again, hope this helps!

Cheers!

Andry,

Thank you this was 95% perfect! The source MAC worked out great and the Destination MAC actually parsed. The only thing that I need to work out now is a small hiccup in the destination MAC parse.

From the payload:

MAC=00:50:56:84:55:cc:00:50:56:82:59:40:08:00

The destination MAC is saying 50:56:82:59:40:08

The MAC should say 00:50:56:82:59:40

How do I correct the regex to move the parse over to the left? The :08:00 is for something else and is not part of the MAC address.

Thank you very much for your help! Regex is not my strong suit.

Very respectfully,

Jack

Hi Jack,

Regex is either my expertise, but I spend like 2 days to built a regex in the past that involve mac addresses. So, here you have, try this?

Destination MAC

Expression: (?:([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}))\W+(([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}):([A-Fa-f0-9]{2}))\W

Format String: $7

I hope you get all what you needed!

Best!

I should said, isn't either my expertise!

Andry,

I would like to say that Regex is becoming your expertise! This worked out great! Thank you very much for your time and support! I was able to properly parse the source and dest mac's!