IBM Support

QRadar: Error "Salesforce protocol ignores the events of unlisted types" for Salesforce events.

Troubleshooting


Problem

Latest Salesforce protocol packages for 7.3 and 7.4 are now enforced for supported event types only, when unsupported type events are received, the following error stack is displayed in /var/log/qradar.log:

[ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider Protocol Provider Thread: class com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAPIProvider21311] com.q1labs.semsources.sources.salesforcerestapi.eventformatter.EventFormatterException: Unsupported event type 'ApiTotalUsage' found.

Cause

As defined in the Salesforce Security documentation for QRadar, only these event types (recorded events) are supported:

  • Login History
  • Account History
  • Case History
  • Entitlement History
  • Service Contract History
  • Contract Line Item History
  • Contract History
  • Contact History
  • Lead History
  • Opportunity History
  • Solution History
  • Salesforce Security Auditing audit trail

Diagnosing The Problem

These Salesforce event types are not supported:
  • ApiTotalUsage: API Total usage events contain details about Platform SOAP API, Platform REST API, and Bulk API requests (for API versions up to and including v30.0).
  • OneCommerceUsage: One Commerce Usage events capture information about your Commerce instance. This event type is available in the EventLogFile object in API version 51.0 and later.
  • AuraRequest: Aura Request events contain details of requests to Apex methods from Aura and Lightning web components. For example, you can benchmark request time or identify the URI of an unsuccessful request.
The list of unsupported event types could include more categories.
If there are any doubts about the supported events, check the list in the Salesforce Security documentation for QRadar.

Resolving The Problem

1. Use the DSM Editor to map the events manually. Check the next links to know more about support policies in regard to custom field extraction:
QRadar: Regular expression (regex) cases and support policies
QRadar: Log source configuration and performance support policy
QRadar: DSM Editor and custom log source cases and support policies

Or

2. Submit an Enhancement Request to ask these events parsed and mapped by the protocol.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
01 April 2022

UID

ibm16566491

Page Feedback