IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

No Proper Events Logging For An Offense

1. No Proper Events Logging For An Offense

Like
Arunkumar R
Posted Thu March 09, 2023 07:13 AM

Reply
Hi,

I am not receiving proper events for an offense from Linux logs.

The offense is getting for the below event

<86>Mar 9 15:32:49 abcd sshd[27574]: input_userauth_request: invalid user ${jndi [preauth]

But the proper event is

<86>Mar 9 15:32:49 abcd sshd[27574]: Invalid user ${jndi from 10.x.x.71 port 12776

Offense Events:

Both source and destinations are same

<86>Mar 9 15:32:49 abcd sshd[27574]: input_userauth_request: invalid user ${jndi [preauth]

Search events:

<86>Mar 9 15:32:49 abcd sshd[27574]: Invalid user ${jndi from 10.x.x.71 port 12776

I can see both events in the search, but it does not capture them as events in the offense.

How can I tune to get the exact event for alert, please anyone assist to get this issue resolved.

Thanks

------------------------------
Arunkumar R
------------------------------
2. RE: No Proper Events Logging For An Offense

Like
Prabir Meher
Posted Mon March 13, 2023 11:28 PM

Reply
Bug - fixed in 7.5.0 UP4 IF1

IJ45191: OFFENSE SUMMARY PAGE EVENT/FLOW COUNT FIELD DOES NOT MATCH THE EVENT COUNT IN LOG ACTIVITY

------------------------------
Prabir Meher
------------------------------

Original Message
3. RE: No Proper Events Logging For An Offense

Like
Arunkumar R
Posted Thu March 16, 2023 04:23 AM

Reply
Hi Prabir,

Thanks for the response. But the provided link has a different issue not mine.

------------------------------
Arunkumar R
------------------------------

Original Message
4. RE: No Proper Events Logging For An Offense

Like
Jan Luptak
Posted Fri May 26, 2023 09:02 AM

Reply
We have 7.5 UP5 and still not fixed. According to support should be fixed in UP6
Jan

------------------------------
Jan Luptak
------------------------------

Original Message

IBM QRadar

IBM QRadar

No Proper Events Logging For An Offense

Arunkumar RThu March 09, 2023 07:13 AM

Prabir MeherMon March 13, 2023 11:28 PM

Arunkumar RThu March 16, 2023 04:23 AM

Jan LuptakFri May 26, 2023 09:02 AM

1. No Proper Events Logging For An Offense

2. RE: No Proper Events Logging For An Offense

3. RE: No Proper Events Logging For An Offense

4. RE: No Proper Events Logging For An Offense

Additional
Resources

Office

Quick Links

IBM QRadar

IBM QRadar

No Proper Events Logging For An Offense

Arunkumar RThu March 09, 2023 07:13 AM

Prabir MeherMon March 13, 2023 11:28 PM

Arunkumar RThu March 16, 2023 04:23 AM

Jan LuptakFri May 26, 2023 09:02 AM

1. No Proper Events Logging For An Offense

2. RE: No Proper Events Logging For An Offense

3. RE: No Proper Events Logging For An Offense

4. RE: No Proper Events Logging For An Offense

Related Content

Offense Not Creating For Matching Event

offense log

RE: Rule did not trigger Offense

How to avoid ".*?" while writing CEPs in IBM QRadar

Offense Wrong Start Date

Additional Resources

Office

Quick Links

Additional
Resources