IBM Support

QRadar: Log Activity search shows private IP addresses as remote in the direction field



When you run a search in Log Activity, you see the private IP addresses are classified as remote in the direction field. For example, in "L2R", the issue could happen with both source and destination.


To understand why this is happening, you need to check how direction works. QRadar uses Network Hierarchy to know what is Remote or Local. From the QRadar Console, you can open this configuration by going to Admin > Network Hierarchy:
image 8411
If the IP is found in Network Hierarchy networks, then QRadar will consider this IP as Local. If not, then this IP will be displayed as Remote.
QRadar does not use public/private ranges for the Direction field, but Network Hierarchy instead.

Resolving The Problem

To change the behavior, you need to add the network into the Network Hierarchy (don't forget to Deploy Changes to enable the new configuration):
image 8409
Note: Country/Region is optional; you can link this private network to a country.

Once the Deploy Changes is complete, you will see the change in Log Activity:
image 8410
Alternately, if you have many networks and it is hard for you to check them in the Network Hierarchy, you can check the networks via CLI with the next command:
  1. SSH into the QRadar Console as root.
  2. Run the following command:
psql -U qradar -c "select * from network order by cidr;"
This command will list the network configured in Network Hierarchy ordered by network.

Related Information

Document Location


[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtJAAQ","label":"QRadar Network Insights"}],"ARM Case Number":"TS004724601","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
16 February 2021