IBM Support

QRadar: Microsoft Logs that are forwarded through Guardium are not normalized by the DSM



When Microsoft Logs are forwarded though Guardium, the events might not be normalized. This might cause a number of events to be displayed as unknown.


Events that are forwarded from Guardium are not normalized. Standard events from Guardium come in as Syslog message type that is determined from the Facility-Priority of the message.
Examples of facility are all, auth, authpriv, cron, daemon, ftp, kern, local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, mark, news, security, Syslog, user, and uucp.
Examples of priority are alert, all, crit, debug, emerg, err, info, notice, and warning. Any events that are not using these cannot be normalized.

Diagnosing The Problem

Here is an example of an event from Guardium that requires a Log Source Extension.

 <25>Aug 1 10:30:01 hostname guard_sender[****]: LEEF:1.0|IBM|Guardium|10.0|SQL- Not DBA DDL activity- Alert and Log|ruleID=#######|ruleDesc=SQL- Not DBA DDL activity- Alert and Log|severity=HIGH|devTime=2016-8-1 10:29:23|serverType=MS SQL SERVER|classification=|category=**** **|dbProtocolVersion=7.0|usrName=|sourceProgram=SMS_POLICY_PROVIDER|start=##########|dbUser=NT AUTHORITY\SYSTEM|dst=***|dstPort=***|src=***|srcPort=***|protocol=WINDOWS NAMED PIPES|type=SQL_LANG|violationID=############|sql=IF EXISTS (select * from tempdb..sysobjects where name = N'*******') drop table #*******|error=

This event does not utilize the Facility-Priority required by Guardium.

Resolving The Problem

For the Guardium DSM, we parse only Guardium System logs. These are a limited subset of events that follow the Facility-Priority model that QRadar can normalize. Any other event needs to be manually mapped. Thus, the behavior of seeing events that are displayed as unknown is an expected result based on the log source and how the data is arriving.

Suggestions on how to resolve this issue.

  1. Directly pull the Microsoft SQL server events with either a JDBC or WinCollect Protocol. You could then allow the Microsoft SQL Server DSM to parse the events.
  2. You could use Guardium to forward the Microsoft SQL server events and manually map each SQL event sent by Guardium.
  3. You could Create a Log Source extension to reduce the number of events to Manually Map.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF025","label":"Platform Independent"}],"Version":"7.3;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018