IBM Support

QRadar: Log source configuration and performance support policy

Question & Answer


Question

This article informs administrators about QRadar® Support policies. QRadar Support assists administrators to investigate and correct software defects related to log source configurations, such as error messages, parsing issues, DSM performance, or troubleshooting. This document outlines out-of-scope work for log source configuration cases and the responsibilities of the QRadar administrator. 

Answer

Responsibilities for Log Source configuration issues

QRadar® has an extensive list of DSMs that parse and categorize incoming events. The technical support team for QRadar can assist administrators to identify and narrow down potential configuration issues for administrators.

Support type Description Responsibility
Log Source configuration and error support
QRadar technical support can assist administrators to identify and narrow down potential Log Source configuration issues. Administrators can use QRadar® technical support to:
  1. Investigate configuration errors for officially supported Device Support Modules (DSMs). For a list of IBM® official DSMs, see the DSM Configuration Guide.
  2. Replay events on lab systems to confirm the source of parsing errors. For example, stored events or unknown events in IBM® official DSMs.
  3. Determine performance issues when events buffer to disk before they enter the event pipeline.
  4. Confirm automatic updates run and that the latest DSM version is installed.
  5. Validate that remote event sources send data and QRadar appliance receive event data.
  6. Review configuration errors or explain errors from the Log Source Management application.
  7. Discuss event categorizations with administrators where an event description, severity, or categories can be improved in the IBM® QRadar® Identifier (QID) Map.

    Notice: The technical support team might recommend that administrators disable custom Log Source types created by an administrator when the Log Source causes performance degradation in the software.
 QRadar technical support

To open a case or report a Log Source error, contact QRadar technical support.
Out-of-scope for QRadar Support
The following topics are considered out-of-scope for technical support. QRadar Support reserves the right to close cases related to the following issues:

The following activities are considered out-of-scope for technical support:
  • Create custom Log Source types in the DSM Editor for administrators. To officially request a new integration, see QRadar: Requesting new features on IBM Ideas.
  • Advising users on custom protocols, such as event data from undocumented protocols or integrations not listed in the DSM Configuration Guide.
  • Certificate creation or modification.
  • Custom QID creation for custom Log Source types. For example, writing event descriptions for user-generated QIDs, advising on severity, or categories.
  • Map large numbers of unknown events from custom Log Source types.
  • Modifying QRadar or making command-line database or backend configuration changes to support undocumented Configurations.
  • Investigating DSM issues published by IBM Business Partners® on the X-Force® App Exchange. IBM Business Partner applications can contain DSM Configurations and these issues can be pursued through the IBM Business Partner directly.
  • Requests for advice on security policies for custom Log Source types, events, or MITRE ATT&CK coverage.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
12 May 2023

UID

ibm16427759

Page Feedback