Troubleshooting DSMs

Device Support Modules (DSMs) parse the events in IBM QRadar. You can think of DSMs as software plug-ins that are responsible for understanding and parsing events that are provided by an event source. An event source can be a security appliance, server, operating system, firewall, or database. DSMs can be any type of system that generates an event when an action occurs.

What is the difference between an unknown event and a stored event?

When events aren’t parsed correctly, they appear on the Log Activity tab as one of the following event types:

Unknown events
The event is collected and parsed, but cannot be mapped or categorized to a specific log source. Log sources that aren't automatically discovered are typically identified as an unknown event log until a log source is manually created in the system. When an event cannot be associated to a log source, the event is assigned to a generic log source. You can identify these events by searching for events that are associated with the SIM Generic log source or by using the Event is Unparsed filter.
Stored events
The event cannot be understood or parsed by QRadar. When QRadar cannot parse an event, it writes the event to disk and categorizes the event as stored.

How can you find these unknown or stored events in the Log Activity tab?

To find events specific to your device, you search in QRadar for the source IP address of your device. You can also select a unique value from the event payload and search for Payload Contains. One of these searches might locate your event, and it is likely either categorized as unknown or stored.

You can also add a search filter for Event in Unparsed. This search locates all events that either cannot be parsed (stored) or events that might not be associated with a log source or auto discovered (unknown).

What do you do if the product version you have is not listed in the DSM Configuration Guide?

The DSM Configuration Guide contains a list of product manufacturers and the DSMs that are officially tested and validated against specific products. If the DSM is for a product that is officially supported by QRadar, but the version is out-of-date, you might need a DSM update to resolve any parsing issues. The product versions in the DSM guide were officially tested in-house, but software updates by vendors might add or change the event format for a specific DSM. In these cases, open a support ticket in IBM Support for a review of the log source. (https://www.ibm.com/support/home/)

What do you do if the product device you have is not listed in the DSM Configuration Guide?

If your product device is not listed in the DSM Configuration Guide, it is not officially supported. For example, DSMs that appear on the IBM® Security App Exchange are supplied by vendors and aren't officially supported by IBM. Not having an official DSM doesn't mean that the events are not collected. It indicates that the event that is received by QRadar might be identified as unknown on the Log Activity tab. You have these options:
  • Open a request for enhancement (RFE) to have your device become officially supported.
    1. Go to the QRadar Security RFE Community. (https://ibm.biz/BdRPx5)
    2. Log in to the Security RFE Community.
    3. Click the Submit tab and type the necessary information.
      Note: If you have event logs from a device, attach the event information and include the product version of the device that generated the event log.
  • Write a log source extension to parse events for your device. (https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_LogSourceGuide_ExtDocs_about.html)