IBM Security QRadar

We set up an Universal DSM to accept TLS Syslog Windows Security events from two WinCollect 10 agents.  The traffic is now encrypted but we are struggling with the Log Source Identifier Pattern - the events are classified as "Unknown Generic Event" despite carrying a WindowsLog. 

How do I write the regex needed for the Log Source Identifier Pattern so I can search events the log sources sent by these two agents?  The two links below have different guidance ($1 or \1; I am trying both, but nothing is coming through).  Also, where is the Event Retriever?

Use As A Gateway Log Source 

Set to On

Log Source Identifier Pattern

\1=([\w\d-]+)\.mydomain
$1=([\w\d-]+)\.mydomain
\1=<13>\w{3}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s([\w\d-]+)\s
$1=<13>\w{3}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s([\w\d-]+)\s




<13>Feb 15 10:03:50 LT-12345 AgentDevice=WindowsLog	AgentLogFile=Security	PluginVersion=WC.MSEVEN6.10.1.2.20	Source=Microsoft-Windows-Security-Auditing	Computer=LT-12345.mydomain.com ...

https://www.ibm.com/docs/en/dsm?topic=options-tls-syslog-protocol-configuration

Log source identifier pattern

Thanks

I believe that generically, you should be able to use this $1=COMPUTERNAME=\"(.*?)\" as your Log Source Identifier. Computername is a pretty standard field in the payload and should capture the full value. 

We set up an Universal DSM to accept TLS Syslog Windows Security events from two WinCollect 10 agents.  The traffic is now encrypted but we are struggling with the Log Source Identifier Pattern - the events are classified as "Unknown Generic Event" despite carrying a WindowsLog. 

How do I write the regex needed for the Log Source Identifier Pattern so I can search events the log sources sent by these two agents?  The two links below have different guidance ($1 or \1; I am trying both, but nothing is coming through).  Also, where is the Event Retriever?

Use As A Gateway Log Source 

Set to On

Log Source Identifier Pattern

\1=([\w\d-]+)\.mydomain
$1=([\w\d-]+)\.mydomain
\1=<13>\w{3}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s([\w\d-]+)\s
$1=<13>\w{3}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s([\w\d-]+)\s




<13>Feb 15 10:03:50 LT-12345 AgentDevice=WindowsLog	AgentLogFile=Security	PluginVersion=WC.MSEVEN6.10.1.2.20	Source=Microsoft-Windows-Security-Auditing	Computer=LT-12345.mydomain.com ...

https://www.ibm.com/docs/en/dsm?topic=options-tls-syslog-protocol-configuration

Log source identifier pattern

Thanks

Thanks Jonathan, unfortunately I'm not seeing any new log sources created based on that pattern.  Do you know where to find the Event Retriever to help troubleshoot?

I believe that generically, you should be able to use this $1=COMPUTERNAME=\"(.*?)\" as your Log Source Identifier. Computername is a pretty standard field in the payload and should capture the full value. 

We set up an Universal DSM to accept TLS Syslog Windows Security events from two WinCollect 10 agents.  The traffic is now encrypted but we are struggling with the Log Source Identifier Pattern - the events are classified as "Unknown Generic Event" despite carrying a WindowsLog. 

How do I write the regex needed for the Log Source Identifier Pattern so I can search events the log sources sent by these two agents?  The two links below have different guidance ($1 or \1; I am trying both, but nothing is coming through).  Also, where is the Event Retriever?

Use As A Gateway Log Source 

Set to On

Log Source Identifier Pattern

\1=([\w\d-]+)\.mydomain
$1=([\w\d-]+)\.mydomain
\1=<13>\w{3}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s([\w\d-]+)\s
$1=<13>\w{3}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s([\w\d-]+)\s




<13>Feb 15 10:03:50 LT-12345 AgentDevice=WindowsLog	AgentLogFile=Security	PluginVersion=WC.MSEVEN6.10.1.2.20	Source=Microsoft-Windows-Security-Auditing	Computer=LT-12345.mydomain.com ...

https://www.ibm.com/docs/en/dsm?topic=options-tls-syslog-protocol-configuration

Log source identifier pattern

Thanks