Question & Answer
Question
Why do some Linux events have the event collector's IP as the Source IP?
Cause
If the payload doesn't contain Source or Destination IP information, and the events are retrieved from an Amazon AWS bucket or Microsoft® Azure Event Hub, there is no Packet IP to fall back on as the Source IP.
To illustrate - example payload 1, this payload doesn't contain any source or destination IP information, so QRadar might set the Source IP as the event collector as the value cannot be 'null'.
Oct 13 12:17:01 10.10.10.10 CRON[15219]: pam_unix(cron:session): session opened for user root by (uid=0)
The syslog header contains the source IP but the syslog header is, by design, ignored when parsing events.
Answer
if the packet IP is critical information, you might want to consider sending the event directly to an event collector. See also the associated technote "QRadar: How the Source IP and Destination IP are determined from events".
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
28 November 2023
UID
ibm16838795