Troubleshooting
Problem
You might notice that in some events the Source MAC address is not extracted in the DSM Editor.
Symptom
When analyzing the events with DSM Editor, QRadar shows that it is able to match the MAC address. This indicates the regex is OK, however, the information does not display in the Source MAC field:
Cause
This issue happens when you use a Custom Log Source type or overwrites an existing log source type. The MAC address does not display due to QRadar expects the MAC address to follow a specific format.
Examples of MAC addresses that do extract correctly to the Source MAC filed:
- 98:76:AB:CD:12:34
- 98-76-AB-CD-12-34
QRadar will replace "-" for ":"
Examples of MAC addresses that do not extract and leave the Source MAC field blank:
- 987:6AB:CD1:234
- 987.6AB.CD1.234
- 9876ABCD1234
Resolving The Problem
To fix this issue, you can elaborate on the regex to split your MAC address into six groups of two hexadecimal digits separated by ":"
For example:
MAC address like 987:6AB:CD1:234, you would need to use a configuration like this:
Expression Type: Regex
Expression: MAC Address: \((\w\w)(\w):(\w)(\w\w):(\w\w)(\w):(\w)(\w\w)
Format String: $1:$2$3:$4:$5:$6$7:$8
Expression: MAC Address: \((\w\w)(\w):(\w)(\w\w):(\w\w)(\w):(\w)(\w\w)
Format String: $1:$2$3:$4:$5:$6$7:$8
MAC address like 987.6AB.CD1.234, you would need to use a configuration like this:
Expression Type: Regex
Expression: MAC Address: \((\w\w)(\w).(\w)(\w\w).(\w\w)(\w).(\w)(\w\w)
Format String: $1:$2$3:$4:$5:$6$7:$8
Expression: MAC Address: \((\w\w)(\w).(\w)(\w\w).(\w\w)(\w).(\w)(\w\w)
Format String: $1:$2$3:$4:$5:$6$7:$8
MAC address like 9876ABCD1234, you would need to use a configuration like this:
Expression Type: Regex
Expression: MAC Address: \((\w\w)(\w\w)(\w\w)(\w\w)(\w\w)(\w\w)
Format String: $1:$2$3:$4:$5:$6$7:$8
Expression: MAC Address: \((\w\w)(\w\w)(\w\w)(\w\w)(\w\w)(\w\w)
Format String: $1:$2$3:$4:$5:$6$7:$8
These are some examples if your MAC addresses are different than what is expected. You can use these examples of regex and create one that works for you.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000CbVWAA0","label":"ATS-Infrasec"}],"ARM Case Number":"TS003961532","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
21 August 2020
UID
ibm16257653