News
Abstract
QRadar® SIEM development has identified a known issue where unknown log events which have IPv4 or IPv6 in the syslog header that would be associated with the SIM Generic logsource are being dropped. This technote allows administrators to identify and remediate the issue.
Content
Technical note updates
- 30 January 2025 12:00 PM ET: Technote created for SIM Generic log events issue.
- 31 January 2025 2:30 PM GMT: Updated workaround to list the updated DSM posted to Fix Central to resolve this issue.
- 05 February 2025 18:20 PM GMT: Updated resolution of new AU bundle (QRADAR-QRAUTO-1738767700) on fixcentral.
Critical: On January 30, 2025 an issue was identified where unknown log events with an IPv4 or IPv6 address in the syslog header are not being associated with the SIM Generic logsource. These events are being dropped. The affected DSM is DSM-SIMGenericLog-7.5-20241220124142.noarch.rpm. An unknown event is an event which cannot be mapped or categorized to a specific log source.
Notice: An updated SIM Generic DSM is available to resolve the dropped events issue for all users. Administrators can download the latest version of SIM Generic to the Console appliance from IBM Fix Central: SIMGenericLog-7.5-20250130145444.noarch.rpm.
Notice: An updated SIM Generic DSM is available to resolve the dropped events issue for all users. Administrators can download the latest version of SIM Generic to the Console appliance from IBM Fix Central: SIMGenericLog-7.5-20250130145444.noarch.rpm.
Resolution
An new AutoUpdate bundle has been made available on IBM FixCentral with the updated RPM - QRADAR-QRAUTO-1738767700
Affected products
QRadar SIEM Software installations at 7.5.0 any Update Package.
Am I affected?
Administrators can use this procedure to confirm the current version of SIM Generic installed on their Console.
Procedure
Procedure
- QRadar Support
Procedure
- Use SSH to log in to the QRadar Console as the root user.
- Type the following command:
Example outputrpm -qa | grep DSM-SIMGenericLogDSM-SIMGenericLog-7.5-20241220124142.noarch - Review the output to determine if you have the affected package installed on QRadar.
Results
If the output isDSM-SIMGenericLog-7.5-20241220124142.noarchfollow the Workaround section below to update the SIM Generic RPM to the latest released version that resolves this reported issue.
Workaround
Procedure
- Download the latest SIM Generic RPM from IBM Fix Central: SIMGenericLog-7.5-20250130145444.noarch.rpm
The abstract for this RPM update describes that the version 20250130145444 resolves an issue where unparsed events sent to SIM Generic DSM could be dropped. - Copy the RPM to the /store/tmp directory on the QRadar Console.
- Use SSH to log in to the QRadar Console as the root user.
- Navigate to the /store/tmp directory.
- Type the following command:
yum -y install DSM-SIMGenericLog-7.5-20250130145444.noarch.rpm - Wait for the RPM installation to complete on the Console.
- Login to the QRadar UI and perform a Deploy Configuration from the Admin tab
Results
After the deploy completes, users can confirm the SIM Generic RPM is installed with the rpm -qa command as described in this technical note. If you continue to experience issues or have questions, contact QRadar Support.
We apologize for any inconvenience due to this issue.After the deploy completes, users can confirm the SIM Generic RPM is installed with the rpm -qa command as described in this technical note. If you continue to experience issues or have questions, contact QRadar Support.
- QRadar Support
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
11 February 2025
UID
ibm17182076