IBM Support

QRadar: The use of Parsing orders

Question & Answer


Why do I need to set the Parsing Order on Log Sources?


When two or more Log Sources are created with the same identifier, the first Log Source in the parsing order takes precedence. Events that are not parsed by the first Log Source will be passed to the next Log Source in the Parsing order. The last Log Source in the parsing order is the catch all for unknown events.

If one of the Log Sources is a custom DSM (uDSM) and that log source is first, then the events all go to the uDSM. The other Log Sources in the parsing order do not get any events.


A best practice is to use the correct Log Source as the first Log Source Type to parse.

In the example, we have a Linux Server log source in the first position in the parsing order. This order is correct because Linux Server is the correct type for the logs from this log source identifier.

Results: We have an efficient method or parsing different Log Source Types for one Log Source.

For more information look at this Knowledge Center article Introduction to log source management

Note: Sending events through larger DSMs (such as Linux OS or Microsoft Windows Security Event Log) that do not match that DSM can have a significant impact on parsing performance. In such cases, it is recommended to put the more expensive DSM at the bottom of the parsing order.
Read QRadar: How to find non-Linux OS events getting into Linux log sources for more background on identifying and tuning around this configuration.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"},{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
08 May 2024