IBM Support

QRadar: Event Name and Low Level Category displaying "Event 0" and "Category 0" in Log Activity

Troubleshooting


Problem

Events on the Log Activity tab parse for the custom DSM correctly, but display "Event 0" in the Event Name column and "Category 0" in the Low Level Category columns. What causes this issue?

Symptom

On the Log Activity tab, events parse correctly for a custom DSM, but the user interface displays Event 0 and Category 0 in several columns.
image 10028

Cause

Administrators who create custom DSM might see fields such as Event 0 or Low Level Category 0 populated in the user interface when there is a configuration error in the DSM Editor. Custom DSMs need to associate a property with a regular expression, which matches the text within an event payload. When the regular expression (regex) does not match the field type, the DSM can parse the event as {field name} 0. A common example of this issue is when an administrator tries to parse an IPv6 address into an IPv4 field.

Administrators must use regex for IPv6 in the following DSM Editor fields:
  • Identity IPv6
  • IPv6 Destination
  • IPv6 Source

    image 10164
    Figure 1: Each field in Properties has a value assigned such as: text, number, port, date, IP address. 
 
 
To reproduce this behavior with any log source type:
  1. Configure any IPv6 field like IPv6 Destination.
  2. Check the Override system behavior check box.
  3. In the Expression field, add general regex that can capture the payload. Expressions that capture any value between destination IP and the next character, in this case a comma, without explicitly matching an IPv6 address can cause parsing issues.
     image 10035
    Figure 2: Expressions that can extract an IPv4 address in to an IPv6 specific property in the DSM Editor can cause parsing issues.
  4. Save the changes.
  5. Wait for events to parse for your custom log source type.

    Results
    The user interface displaying Event 0 and Low Level Category 0. If the user reviews the logs, they would indicate the parser generated an exception and bails out of the parsing process. The parser does not understand the format of the data and never maps the event to a QRadar ID (QID) to get the correct Event Name, Severity, Weight, and Low Level Category. The configuration issue in the DSM Editor causes the user interface to substitute in Event 0 or Category 0.
    image 10028

Resolving The Problem

  1. Log in to QRadar® as an administrator.
  2. Click the Admin tab.
  3. Open the DSM Editor and edit your custom log source type.
  4. Review the regular expressions for the following IPv6 fields:
    • Identity IPv6
    • IPv6 Destination
    • IPv6 Source
  5. If the regex expression is generic or can capture an IPv4 address, select one of the following options:
    1. Clear the Override system behavior checkbox. When you clear an override, the parsing reverts to the default configuration for the field, which might allow the event to parse correctly.
      image 10030
    2. Edit the Expression field to match an IPv6 address format.

      Results
      After you disable the field extraction or fix the regex, you the event maps correctly in the Log Activity tab.
      image 10036

Document Location

Worldwide

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS005542456","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
28 May 2021

UID

ibm16454881