Question & Answer
Question
In the Event Detail screen, why is the log source's IP shown in the Source IP and Destination IP fields, even when the payload has IP information?
Answer
When an event payload does not have IPv4 source and destination details but has IPv6 source and destination details, the
Source IP and Destination IP attributes are substituted with the log source's IPv4 address. This behavior is per design.
Note:
- In cases such as these, for a search to use the correct IP addresses, you need to include the Source IPv6 and Destination IPv6 columns in your search criteria.
- If the IPv6 address seen is not defined in Network Hierarchy, then the Source IPv6 and Destination IPv6 are considered as remote, and the Direction column is displayed as R2R.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"},{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"TS008195678","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
13 April 2022
UID
ibm16565293