QRadar: Log Source Extension requirements

Troubleshooting

Problem

Why is my Log Source extension not working?

Cause

When creating a log source extension, if the event name pattern is not used, the Log Source Extension will not associate to any events. As a result, none of the other patterns specified in the log source extension will be parsed.

Resolving The Problem

A log source extension requires an event name pattern to identify the events it should be applied to.
In this example EventName-FireEye is linked to EventName. We are using this pattern to identify the events that we need to parse. This will allow all other pattens to now parse the payload.

Results: All patterns listed in the Log Source Extension are now parsing.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Log Source Extension requirements

Troubleshooting

Problem

Cause

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?