Troubleshooting
Problem
When QIDs are added through DSM Editor, events parse correctly, but are displayed as Unknown in Log Activity.
Symptom
Events seen as Unknown in Log Activity even though QIDs are created for them.
Example:
Cause
Events are not mapped to their QID.
Resolving The Problem
Before you Begin
For multi-tenant environments, any user-defined mapping or event categorization information that is defined in the DSM Editor becomes visible across all tenants. You must ensure that no tenant-specific data is put in any event categorization names or descriptions.
For multi-tenant environments, any user-defined mapping or event categorization information that is defined in the DSM Editor becomes visible across all tenants. You must ensure that no tenant-specific data is put in any event categorization names or descriptions.
You can use an existing QID that is already used by any other DSM, but for this example we create a custom QID.
The sequence is two-part:
- Part 1 - Adding QIDs in DSM Editor.
- Part 2 - Mapping QIDs to their respective events in Log Activity.
Part 1 - Adding QIDs in DSM Editor
- Login on the QRadar Console.
- Click the Admin tab.
- In Events under the Data Sources section, click DSM Editor.
- Highlight the Log Source type associated with the events that are displayed as Unknown, click Select.
- Copy and paste the event payload in the workspace window.
- To obtain te payload, go to Log activity and get list of unknown events.
- These events can be obtained by using filter Payload Contains and you can use some payload information in value or also filter by log source to get all events for it.
- Once events are shown, double click the respective event to show the Event Information page.
- Copy the payload from Payload Information.
- Go to DSM Editor and paste the payload into the Workspace.
- To obtain te payload, go to Log activity and get list of unknown events.
- Click the Event Mappings Tab.
- Click the plus (+) icon next to the Filter field to add new QID.
- In the Create a new Event Mapping window, enter an Event ID value that can be produced by this log source type.
- Enter an Event Category value that can be produced by this log source type.
- Click Choose QID... and the QID Records window opens.
- Click Create New QID Record.
- Populate the required fields.
- Name - Event name
- Description - Event description
- Log Source Type - Affected log source type
- High-Level Category - Based on event
- Low-Level Category - Based on event
- Severity - Based on event
- Click Save
- Click OK, Create, then Save.
Result
The event displays successfully parsed and mapped in DSM Editor.
Part 2 - Mapping QIDs to their respective events in Log Activity
- Login on the QRadar Console.
- Click the Log Activity tab.
- If you are viewing events in streaming mode, click the Pause icon to pause streaming.
- Complete a search for the events in question, then double click the event the QID was created for.
- In the Event Information window, click Map Event, then the Log Source Event window opens.
- Select the following values:
- High-Level Category - Any
- Low-Level Category - Any
- Log Source Type - Effected log source type
- QID/Name - Copy and paste the QID that you created previously
-
Click Search.
-
Select the QID that you created previously, then click OK and then OK again to exit.
Result
New events of the same type are parsed and mapped and then displayed correctly in the Log Activity tab.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtSAAQ","label":"DSM Editor"},{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
19 October 2023
UID
ibm16561247