IBM Support

IJ26665: CEF EVENTID DOES NOT MAP TO A QID WHEN IT IS THE LAST KEY/VALUE IN THE PAYLOAD WHEN CONFIGURED USING DSM EDITOR/LSX

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • If a CEF key is used to override the EventID for a log source
    using the DSM Editor/LSX, and it is the last key/value in the
    payload, it does not work as expected as it is not matched to a
    mapped QID in QRadar as a newline character "\n" is added to
    the parsed item.
    For example:
    Add a CEF key as an override for a payload when the key/value
    pair is the last item in a payload.
    Result:  The Event ID is not able to match a QID as it will
    have a '\n' at the end.
    Note: If another key/value is added to the end of the payload
    it works as expected as the desired value no longer has the
    '\n' in it.
    

Local fix

  • Using Regex Expressions instead of using a CEF key in DSM
    Editor/LSX
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.4.3.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.4.3.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ26665

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    740

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-07-28

  • Closed date

    2021-05-25

  • Last modified date

    2021-05-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"740"}]

Document Information

Modified date:
26 May 2021