Why does QRadar sometimes create multiple Log Sources, of different Log Source Types, for a single device? How can log events be forced to go to the correct Log Source?
QRadar Traffic Analysis evaluates events to determine if they belong to an exiting log source. If no matching Log Source already exists, Traffic Analysis determines whether the event matches an existing Log Source Type. There are many Log Source types that have very similar events and sometimes incoming events may be correlated to an incorrect Log Source Type. DHCP Servers, Unix, or Linux OS events are the most common examples of this.
Resolving The Problem
If multiple Log Sources are being created for a single device, do the following to ensure that events are sent to the intended Log Source Type:
- If the intended Log Source was not automatically created, ensure that that Log Source type is supported for Auto Discovery.
- Open the Admin settings:
- In IBM Security QRadar V7.3.1, click the navigation menu ☰ , and then click Admin to open the Admin tab.
- In IBM Security QRadar V7.3.0 or earlier, click the Admin tab.
- Click Log Source Icon.
- Select the Log Source in question.
- Click Parsing Order.
- Move that log source to the top of the Parsing Order for its corresponding Log Source Identifier.
- If events continue to be intercepted by an incorrect Log Source Type, Select the Log Source in question.
- Click disable for 'incorrect' Log Source Type.
Note: If a Log Source is deleted, it might be 'auto discovered' again later on.
Results: You have the correct Log Source Type configured for the Log Source.
Where do you find more information?
Was this topic helpful?
30 July 2018