Original Message:
Sent: Tue February 28, 2023 06:30 PM
From: Tom L
Subject: TLS-Syslog Universal DSM Log Source Identifier Pattern for Windows Security Logs
Thanks Jonathan, unfortunately I'm not seeing any new log sources created based on that pattern. Do you know where to find the Event Retriever to help troubleshoot?
------------------------------
Tom L
Original Message:
Sent: Fri February 24, 2023 06:02 PM
From: Jonathan Pechta
Subject: TLS-Syslog Universal DSM Log Source Identifier Pattern for Windows Security Logs
I believe that generically, you should be able to use this $1=COMPUTERNAME=\"(.*?)\"
as your Log Source Identifier. Computername is a pretty standard field in the payload and should capture the full value.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
Original Message:
Sent: Wed February 15, 2023 01:34 PM
From: Tom L
Subject: TLS-Syslog Universal DSM Log Source Identifier Pattern for Windows Security Logs
We set up an Universal DSM to accept TLS Syslog Windows Security events from two WinCollect 10 agents. The traffic is now encrypted but we are struggling with the Log Source Identifier Pattern - the events are classified as "Unknown Generic Event" despite carrying a WindowsLog.
How do I write the regex needed for the Log Source Identifier Pattern so I can search events the log sources sent by these two agents? The two links below have different guidance ($1 or \1; I am trying both, but nothing is coming through). Also, where is the Event Retriever?
Use As A Gateway Log Source
Set to On
Log Source Identifier Pattern
\1=([\w\d-]+)\.mydomain
$1=([\w\d-]+)\.mydomain
\1=<13>\w{3}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s([\w\d-]+)\s
$1=<13>\w{3}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s([\w\d-]+)\s
<13>Feb 15 10:03:50 LT-12345 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=WC.MSEVEN6.10.1.2.20 Source=Microsoft-Windows-Security-Auditing Computer=LT-12345.mydomain.com ...
https://www.ibm.com/docs/en/dsm?topic=options-tls-syslog-protocol-configuration
Log source identifier pattern
Thanks
------------------------------
Tom L
------------------------------