IBM Support

QRadar: Events not mapping to new QID due to hidden spaces

Troubleshooting


Problem

New custom QID is not mapping to events with successfully parsed Category and EventID that appear to match the QID.

Symptom

A new custom QID is created to map events with successfully parsed Category and Event ID, but even when the information extracted seems to match the mapping.
The events are going to "Unknown" and not mapping to the new QID.
For example, if an admin wants to map this sample event:
<13>Sep 30 07:13:59 hostname.doman.com EXEC[4182]:  Cat: Security2  ID: NewEvent#123 MSG: New security event activity.
Security2 value is extracted for Event Category and NewEvent#123 for Event ID.
In the DSM Editor, in the Event Mapping tab, the values in the QID appear to match the values parsed from the events:
image-20220907083517-1

Cause

There is an extra character appended to the Event ID in the QID. The character is not visible in the UI.

Diagnosing The Problem

Confirm the values of the "Event ID" and "Event Category" of the QID in the PSQL database.
  1. Open the DSM Editor, on the Event Mapping tab, take note of the event name (qid name) in the Name section, in this example it is The Test:
    image-20220907102718-7
  2. Ssh to the QRadar Console.
  3. Log in to the QRadar console by using the command-line interface.
  4. Log in to PSQL database with the next command: 
    psql -U qradar
  5. Query the qidmap table for the custom QID configuration by using the qid name (qname) that were extracted in step number one, take note of the id and use it in the next step: 
    select id,qid,qname from qidmap where qname ilike '<new_custom_qid_name>';
    Example of the output for this command, for the qid name, the id is 1009601:
    image-20220907103740-10
  6. Run the next two commands, the first one turns off the "aligned mode" in PSQL and the second one returns the mapping configuration for that id: 
    \a
select * from dsmevent where qidmapid = <id_new_custom_qid>;
    The next capture is an example of the output for the second command, the section in red shows a space at the end of value for Event ID:
    image-20220907104520-11
    This space is the reason why even when the mapping seems to be matching the field extraction for Event ID and Event Category, the events are still sent to unknown. 

Resolving The Problem

Either the mapping needs to be fixed to remove the space or the field extraction needs to be configured to add the space at the end.
Use the Workspace section in the DSM Editor to find any extra space. When a regex is entered, when there is a match, this match is highlighted in yellow and the portion that is extracted is highlighted in orange.
Make sure the orange section does not contain any space highlighted like in the next capture:
image-20220919153019-1
The next capture shows how the information looks like when no spaces are being extracted before or after the value:
image-20220919154310-2

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS010363667","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
19 September 2022

UID

ibm16614981

Page Feedback