How To
Summary
One of the values extracted from every event is the Log Source Time field, which displays what QRadar understood as the time the event occurred on the source device. Events with a DSM created by IBM what is extracted as Log Source Time can vary depending on the payload. In this article, you can learn how to override the Log Source Time with the DSM Editor to display the time zone you need.
Environment
Information on how QRadar handles parsing time and time zone information:
- For custom DSMs, you can create a Log Source Type to parse the event. In the DSM Editor, there are fields to override default parsing values. To customize the time zone, you need to override the Log Source Time field to configure what is extracted from the event as the Log Source Time. You need to review the time zone information from the payload to confirm it is used properly.
- If the event does not contain an RFC-compliant Syslog header or time information, QRadar might not be able to parse the Log Source Time from the event. QRadar supports RFC 3164 or RFC 5424 formats for Syslog events. When a format issue occurs, the DSM Editor applies the time that the event was parsed and appliance time zone to the event. If your payload does not contain an RFC-compliant Syslog header, you must apply an override to parse the Log Source Time correctly.
- When an event payload does not contain a time zone QRadar can assign a value automatically. The time zone value is set based on the installation time zone configured by the administrator. For example, if payload time is <38>Sep 24 11:21:28 hostname LEEF<...> and during the appliance installation the administrator selects New York, America EST, then QRadar falls back to the EST time zone when no Log Source Time overrides are configured.
- When the event payload does not contain a year QRadar assigns the current year as the value for Log Source Time.
- On the Log Activity tab, the Log Source Time adjusts to the time zone QRadar uses. For example, if the time extracted was <38>Sep 24 11:21:28 CST and QRadar is installed with a time zone as Eastern Standard Time (EST), QRadar displays Sep 24, 2022, 12:21:28 as the time in the Log Source Time field.
- If you need more information on how to configure the Log Source Time field in the DSM Editor, see QRadar: How to change or customize Log Source Time.
Steps
Select a scenario for an example on how to configure a time zone in the DSM Editor.
Example payload:
Scenario 1: Payload time do not contain a time zone, but it is the same used by QRadar
In this case, the time and date in the payload do not contain a time zone. The server where the events were generated is in the same time zone as QRadar. Users who experience this issue can open the DSM Editor and configure an override to tell QRadar where to find the time and date in the payload for the Log Source Time. By default, if no time zone is extracted QRadar will assign its time zone to the time.
Scenario 2: Event payload contains a time zone
In this scenario, a log source contains a time zone, but it is not parsed by the DSM. To correct this issue, you need to configure the Log Source Time field to include the time zone, in the Date Format you specify the time zone with the letter "z".
Example payload:
Example payload:
<182>Feb 11 10:04:01CST hostname<...>
DSM Editor configuration override for Log Source Time:
Figure 1: In this example, adding a date format as 'zzz' allows the time zone to display.
Scenario 3: Time in the payload does not contain a time zone, but this event source is in a different time zone than QRadar
Example, a payload for a log source is in a known time zone and you want that information to display with the event. In this scenario, you can update the Log Source Time parameter with an override to add a time zone in the Format String.
Example payload:
<182>Feb 11 10:04:01 hostname<...>
<182>Feb 11 10:04:01 hostname<...>
As the log source for the payload occurs in Mountain time (MST), you can update the Format String to append text to your payload when the time value is parsed.
Figure 2: The expression extracts the time and date. The Format String allows you to add the time zone MST ensure the Date Format includes the letter "z".
Scenario 4: The time in your payload is in epoch time
Epoch time format is a not human readable 10 or 13-digit number to display timestamp values based on GMT time. To properly parse an epoch time value, you need to add an override value the Log Source Time configuration in the DSM Editor.
Example payload:
<...>user="the_user" request_timestamp_epoch="1638387181" URL="https"<...>
To parse an epoch time, review the following example:
Figure 3: Use the DSM Editor to convert epoch time stamps to a usable Log Source Time in QRadar.
Format String:
Format String:
- The capture group is $1.
- The letters yyyy display the year.
- The time zone GMT.
Date Format:
- Add a lowercase "s" for each of the epoch numbers, as the epoch on this example has 10 digits we added 10 lowercase "s". If your epoch time contains milliseconds, you need to include 13 "s" characters in the Date Format field.
- The letter 'yyyy', must be included to reference the year and it must be surrounded by single quotation marks.
- The letter zzz to tell QRadar that these three characters are the time zone.
If QRadar were using EST time zone, here is an example of the output:
- Epoch time: 1638387181
- GMT: Wednesday, December 1, 2021 7:33:01 PM (time zone for the epoch time in the event).
- EST: Wednesday, December 1, 2021 2:33:01 PM (time displayed in Log Source Time in the user interface).
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtSAAQ","label":"DSM Editor"}],"ARM Case Number":"TS008187190","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
07 March 2022
UID
ibm16557090