IBM Support

Log source extensions (LSXs) that generate a large number of asset updates

Troubleshooting


Problem

Users that write their own log source extensions might unknowingly generate large numbers of identity events for assets in their network.

Symptom

When a log source incorrectly generates identity events, it forces the system to update the asset profile with usernames, MAC addresses, IP addresses, hostnames, netbios names, or group names from events that really do not belong with asset updates. For example, web browsing events or mail server events.

Depending on the type of log source extension and the number of event generated, unintentional identity events can cause performance issues. This is due to the asset profile attempting to parse large volumes of incoming events to properly merge the identity information in to the asset profile or generate a new asset, which leads to the system passively discovering new assets from unintended sources.

If a log source is generating identity for every event, then users might experience the following symptoms:

  • The system might create assets on the system, which are not within your network hierarchy.
  • The Asset tab might take a significant time to open or can display an application error.
  • Large numbers of TX Sentry warning messages might be displayed for Tomcat in /var/log/qradar.log.
  • The asset profile can display abnormally large numbers of updates for a single asset.
  • Offenses might trigger for unintended events, which might be associated with an unexpected asset. For example, a DHCP event might trigger a rule when a user browses to a web page.

Cause

This issue can be caused by a log source extension that contains the value send-identity="OverrideAndAlwaysSend".

Environment

Any QRadar system where the administrator has written their own log source extension to integrate events from a 3rd party device or software.

Resolving The Problem

Administrators should review their log source extensions to determine if any of the extensions use the value send-identity="OverrideAndAlwaysSend". When a log source extension uses the OverrideAndAlwaysSend value, it will include the identity flag for every event that is parsed by the log source extension. This causes the asset profile to believe this is a legitimate identity event.

To resolve this issue, administrators can examine their log source extensions and configure them to use send-identity="OverrideAndNeverSend" option to prevent asset issues.

  1. Log in to your Console as a user with administrative privileges.
  2. Click the Admin tab.
  3. Click the Log Source Extensions icon.
  4. Select a log source extension and click Edit.
  5. In the Extension Document field, review the extension to determine if the send-identity field uses send-identity="OverrideAndAlwaysSend".
  6. If the extension contains the parameter to always send identity, then the administrator should update their log source extension with send-identity="OverrideAndNeverSend".
  7. Edit the original log source extension file or copy the contents of the Extension Document to an XML file.
  8. Click Browse and select the updated log source extension XML file.
  9. Click Upload.
  10. Click Save.
  11. Repeat this process for each log source extension on your Console.

Examples


Before update: log source extension that incorrectly uses the OverrideAndAlwaysSend identity parameter.


After update: log source extension updated to use the OverrideAndNeverSend identity parameter.

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Assets","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21666016