Troubleshooting
Problem
Events on the Log Activity tab parse for the custom DSM correctly, but display "Event 0" in the Event Name column and "Category 0" in the Low Level Category columns. What causes this issue?
Symptom
On the Log Activity tab, events parse correctly for a custom DSM, but the user interface displays Event 0 and Category 0 in several columns.
Cause
Administrators who create custom DSM might see fields such as Event 0 or Low Level Category 0 populated in the user interface when there is a configuration error in the DSM Editor. Custom DSMs need to associate a property with a regular expression, which matches the text within an event payload. When the regular expression (regex) does not match the field type, the DSM can parse the event as {field name} 0. A common example of this issue is when an administrator tries to parse an IPv6 address into an IPv4 field.
Administrators must use regex for IPv6 in the following DSM Editor fields:
Administrators must use regex for IPv6 in the following DSM Editor fields:
- Identity IPv6
- IPv6 Destination
- IPv6 Source
Figure 1: Each field in Properties has a value assigned such as: text, number, port, date, IP address.
To reproduce this behavior with any log source type:
- Configure any IPv6 field like IPv6 Destination.
- Check the Override system behavior check box.
- In the Expression field, add general regex that can capture the payload. Expressions that capture any value between destination IP and the next character, in this case a comma, without explicitly matching an IPv6 address can cause parsing issues.
Figure 2: Expressions that can extract an IPv4 address in to an IPv6 specific property in the DSM Editor can cause parsing issues. - Save the changes.
- Wait for events to parse for your custom log source type.
Results
The user interface displaying Event 0 and Low Level Category 0. If the user reviews the logs, they would indicate the parser generated an exception and bails out of the parsing process. The parser does not understand the format of the data and never maps the event to a QRadar ID (QID) to get the correct Event Name, Severity, Weight, and Low Level Category. The configuration issue in the DSM Editor causes the user interface to substitute in Event 0 or Category 0.
Resolving The Problem
- Log in to QRadar® as an administrator.
- Click the Admin tab.
- Open the DSM Editor and edit your custom log source type.
- Review the regular expressions for the following IPv6 fields:
- Identity IPv6
- IPv6 Destination
- IPv6 Source
- If the regex expression is generic or can capture an IPv4 address, select one of the following options:
- Clear the Override system behavior checkbox. When you clear an override, the parsing reverts to the default configuration for the field, which might allow the event to parse correctly.
- Edit the Expression field to match an IPv6 address format.
Results
After you disable the field extraction or fix the regex, you the event maps correctly in the Log Activity tab.
- Clear the Override system behavior checkbox. When you clear an override, the parsing reverts to the default configuration for the field, which might allow the event to parse correctly.
Document Location
Worldwide
[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS005542456","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
28 May 2021
UID
ibm16454881