Log source extensions (LSXs) that generate a large number of asset updates

Symptom

When a log source incorrectly generates identity events, it forces the system to update the asset profile with usernames, MAC addresses, IP addresses, hostnames, netbios names, or group names from events that really do not belong with asset updates. For example, web browsing events or mail server events.

Depending on the type of log source extension and the number of event generated, unintentional identity events can cause performance issues. This is due to the asset profile attempting to parse large volumes of incoming events to properly merge the identity information in to the asset profile or generate a new asset, which leads to the system passively discovering new assets from unintended sources.

If a log source is generating identity for every event, then users might experience the following symptoms:

• The system might create assets on the system, which are not within your network hierarchy.
• The Asset tab might take a significant time to open or can display an application error.
• Large numbers of TX Sentry warning messages might be displayed for Tomcat in /var/log/qradar.log.
• The asset profile can display abnormally large numbers of updates for a single asset.
• Offenses might trigger for unintended events, which might be associated with an unexpected asset. For example, a DHCP event might trigger a rule when a user browses to a web page.