IBM Support

QRadar: Why do some Linux events have the event collector's IP as the Source IP?

Question & Answer


Why do some Linux events have the event collector's IP as the Source IP?


If the payload doesn't contain Source or Destination IP information, and the events are retrieved from an Amazon AWS bucket or Microsoft® Azure Event Hub, there is no Packet IP to fall back on as the Source IP. 
To illustrate - example payload 1, this payload doesn't contain any source or destination IP information, so QRadar might set the Source IP as the event collector as the value cannot be 'null'.
Oct 13 12:17:01 CRON[15219]: pam_unix(cron:session): session opened for user root by (uid=0)
The syslog header contains the source IP but the syslog header is, by design, ignored when parsing events.


if the packet IP is critical information, you might want to consider sending the event directly to an event collector. See also the associated technote "QRadar: How the Source IP and Destination IP are determined from events".

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
28 November 2023