Name Value Pair

The Name Value Pair DSM gives you the option to integrate IBM® QRadar® with devices that might not normally send syslog logs.

The Name Value Pair DSM provides a log format that gives you the option to send logs to QRadar. For example, for a device that does not export logs natively with syslog, you can create a script to export the logs from a device that QRadar does not support, format the logs in the Name Value Pair log format, and send the logs to QRadar using syslog.

The Name Value Pair DSM log source that is configured in QRadar then receives the logs and is able to parse the data since the logs are received in the Name Value Pair log format.

Tip: Events for the Name Value Pair DSM are not automatically discovered by QRadar.

The Name Value Pair DSM accepts events by using syslog. QRadar records all relevant events. The log format for the Name Value Pair DSM must be a tab-separated single-line list of Name=Parameter. The Name Value Pair DSM does not require a valid syslog header.

Note: The Name Value Pair DSM assumes an ability to create custom scripts or thorough knowledge of your device capabilities to send logs to QRadar using syslog in Name Value Pair format.

The Name Value Pair DSM is able to parse the following tags:

Table 1. Name Value Pair log format tags
Tag	Description
DeviceType	Type `NVP` as the DeviceType. This identifies the log formats as a Name Value Pair log message. This is a required parameter and `DeviceType=NVP` must be the first pair in the list.
EventName	Type the event name that you want to use to identity the event in the Events interface when using the Event Mapping functions. For more information on mapping events, see the IBM QRadar User Guide. This is a required parameter.
EventCategory	Type the event category that you want to use to identify the event in the Events interface. If this value is not included in the log message, the value `NameValuePair` value is used.
SourceIp	Type the source IP address for the message.
SourcePort	Type the source port for the message.
SourceIpPreNAT	Type the source IP address for the message before Network Address Translation (NAT) occurred.
SourceIpPostNAT	Type the source IP address for the message after NAT occurs.
SourceMAC	Type the source MAC address for the message.
SourcePortPreNAT	Type the source port for the message before NAT occurs.
SourcePortPostNAT	Type the source port for the message after NAT occurs.
DestinationIp	Type the destination IP address for the message.
DestinationPort	Type the destination port for the message.
DestinationIpPreNAT	Type the destination IP address for the message before NAT occurs.
DestinationIpPostNAT	Type the IP address for the message after NAT occurs.
DestinationPortPreNAT	Type the destination port for the message before NAT occurs.
DestinationPortPostNAT	Type the destination port for the message after NAT occurs.
DestinationMAC	Type the destination MAC address for the message.
DeviceTime	Type the time that the event was sent, according to the device. The format is: YY/MM/DD hh:mm:ss. If no specific time is provided, the syslog header or DeviceType parameter is applied.
UserName	Type the user name that is associated with the event.
HostName	Type the host name that is associated with the event. Typically, this parameter is only associated with identity events.
GroupName	Type the group name that is associated with the event. Typically, this parameter is only associated with identity events.
NetBIOSName	Type the NetBIOS name that is associated with the event. Typically, this parameter is only associated with identity events.
Identity	Type `TRUE` or `FALSE` to indicate whether you want this event to generate an identity event. An identity event is generated if the log message contains the SourceIp (if the IdentityUseSrcIp parameter is set to TRUE) or DestinationIp (if the IdentityUseSrcIp parameter is set to FALSE) and one of the following parameters: UserName, SourceMAC, HostName, NetBIOSName, or GroupName.
IdentityUseSrcIp	Type `TRUE` or `FALSE` (default). TRUE indicates that you want to use the source IP address for identity. FALSE indicates that you want to use the destination IP address for identity. This parameter is used only if the Identity parameter is set to TRUE.

Use these sample event messages to verify a successful integration with QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Example 1

The following example parses all fields:

DeviceType=NVP EventName=Test DestinationIpPostNAT=<IP_address> DeviceTime=2007/12/14 09:53:49 SourcePort=1111 Identity=FALSE SourcePortPostNAT=3333 DestinationPortPostNAT=6666 HostName=testhost DestinationIpPreNAT=<IP_address> SourcePortPreNAT=2222 DestinationPortPreNAT=5555 SourceMAC=<MAC_address> SourceIp=<IP_address> SourceIpPostNAT=<IP_address> NetBIOSName=<BIOS_name> DestinationMAC=<MAC_address> EventCategory=Accept DestinationPort=4444 GroupName=testgroup SourceIpPreNAT=<IP_address> UserName=<Username> DestinationIp=<IP_address>

Example 2

The following example provides identity by using the destination IP address:

<133>Apr 16 12:41:00 192.0.2.1 namevaluepair: DeviceType=NVP EventName=Test EventCategory=Accept Identity=TRUE SourceMAC=<MAC_address> SourceIp=<Source_IP_address> DestinationIp=<Destination_IP_address> UserName=<Username>

Example 3

The following example provides identity by using the source IP address:

DeviceType=NVP EventName=Test EventCategory=Accept DeviceTime=2007/12/14 09:53:49 SourcePort=5014 Identity=TRUE IdentityUseSrcIp=TRUE SourceMAC=<MAC_address> SourceIp=<Source_IP_address> DestinationIp=<Destination_IP_address> DestinationMAC=<MAC_address> UserName=<Username>

Example 4

The following example provides an entry with no identity:

DeviceType=NVP EventName=Test 
EventCategory=Accept DeviceTime=2007/12/14 09:53:49 
SourcePort=5014 Identity=FALSE 
SourceMAC=<MAC_address> 
SourceIp=<Source_IP_address> 
DestinationIp=<Destination_IP_address> 
DestinationMAC=<MAC_address> 
UserName=<Username>