IBM Support

QRadar: Events coming in unmapped and unparsed



After successfully configuring third-party systems to send events into QRadar, the events come in as "Unknown". The events come in under the SIM Generic log source and not the correct log source. The events are unmapped and unparsed.


The traffic analysis engine is unable to match the incoming events to a log source based on the log source identifiers available.

Diagnosing The Problem

There are two ways of diagnosing when this problem is affecting a QRadar deployment.
  • There are events under SIM Generic that are labeled as "Unknown log activity."
  • There are system notifications for "Unable to determine associated log source" 

Resolving The Problem

To resolve the problem, the correct log source identifier needs to be established and added to the log source.
  1.  Find the unknown events under SIM generic.
  2. Open the payload, and scroll to the "Additional Information" section, note the field Log Source Identifier it contains a string or IP address.
    Screenshot of an event payload, displaying 5 fields: eventID, eventCategory, Log Source Identifier, Stored for Performance, and Truncated.
  3. Using the Log Source Identifier found under the "Additional Information" section, replace the log source identifier through the Log Source Management app.
    A screenshot of the protocol tab of a log source in the log source management app

    The events no longer come in as Unknown, and instead come under their log source.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
04 April 2023