IBM Support

QRadar: The use of Parsing orders

Question & Answer


Question

Why do I need to set the Parsing Order on Log Sources?

Cause

When two or more Log Sources are created with the same identifier, the first Log Source in the parsing order takes precedence. Events that are not parsed by the first Log Source will be passed to the next Log Source in the Parsing order. The last Log Source in the parsing order is the catch all for unknown events. This is especially true if one of the Log Sources is a uDSM. If the uDSM is first then the events will go to the uDSM. The other Log Sources in the parsing order will not get any events.

Answer

A best practice would be to use the Intended Log Source as the first Log Source Type to parse.

In the example shown, we have a Linux Server log source type in the first Order position, because those are the actual logs coming in for that log source.


Results: We have an efficient method or parsing different Log Source Types for one Log Source.

 

For more information look at this Knowledge Center article Introduction to log source management


Where do you find more information?



[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1;7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
27 July 2018

UID

swg22002566