IBM QRadar

Hi all!

I have some difficulties:

I have a log source. It is a BigIP software(hostaname= bigip.example.local), contains 2 different modules: "ltm" and "afm". Both ot them locates on the same log source(BigIP software) and performs different functions. I configured BigIP software to send logs to qradar. qRadar has defaul DSMs for this modules.

When I recieve logs, I receive 2 different kind of logs with the same Identifier, but from multiple modules:

1. Logs from "ltm" module:

<134>Dec 1 10:10:10 bigip.example.local LTM: ........LOGSSSSSSSSSSSSS.......

2. Logs from "afm" module:

<134>Dec 1 10:10:11 bigip.example.local AFM: ........LOGSSSSSSSSSSSSS.......

As you see, the Log Source Identifier is the same, but modules are different. By default, default DSM modules for LTM and AFM are different too.

When I configure the log source on the qRadar side, I can only select one DSM, the logs will be parsed correctly from the selected one, but incorrect from the other and vice versa.

So, how can I split these logs with the same Log Source Identifier?

Thanks!

Hi,

not sure if I understand you correctly. BIG-IP AFM and LTM are using different DSMs. You can assign those to the same host identifier, say bigip.example.local resulting in two different log sources for the same host. Thus you should not see incorrect logs parsed from the LTM or AFM. If that is still the case pls open a SR.

BR Karl