IBM Support

QRadar: Packet IP address is used as the Log Source Identifier instead of the hostname value for events that are RFC 5424 compliant

Troubleshooting


Problem

QRadar is using the network IP address of the event instead of using the hostname in the syslog header even when the events are RFC 5424 compliant.

Symptom

QRadar successfully creates log sources using the hostname information on the syslog header for RFC 3164 compliant events, but for RFC 5424 compliant events, it creates new log sources by using the packet IP address instead of hostname.
This situation could cause problems to get the events in the right log source, or when the same server sends events with different hostnames, instead of creating one log source for each hostname, QRadar sends all the events to the same log source.

Cause

The capacity of processing RFC 5424 complaint events in QRadar might be disabled.

Diagnosing The Problem

In order for an event to be RFC 5424 complaint:
  • The priority tag is required.
  • The priority tag must have from 1 to 3 digits and must be enclosed in angle brackets. For example, <13>.
  • The timestamp must be in this format:
    yyyy-MM-ddTHH:mm:ss.SSSZ
  • The letter 'T' between the date and time must be a literal T character.
  • The 'Z' can be a literal Z or it can be a time zone value in the following format: -04:00
  • Full syslog header format with RFC 5424:
    <priority tag>1 <timestamp> <IP address or hostname>
  • Examples of RFC 5424 header:
    <13>1 2019-01-18T11:07:53.520Z 10.10.10.1
    <133>1 2019-01-18T11:07:53.520+07:00 myhostname
If you confirm that your event format is RFC 5424 compliant and still QRadar continues to use the packet IP address instead of the hostname as the log source identifier, confirm on your environment if the RFC 5424 format is disabled.
SSH to the QRadar console as the root user and run the following command, if the output is false, then the parsing of RFC 5424 compliant events is disabled:
cat /store/configservices/staging/globalconfig/nva.conf | grep -i RFC
Output example of  a configuration where the parsing o RFC 5424 compliant events is disabled:
cat /store/configservices/staging/globalconfig/nva.conf | grep -i RFC
RFC5424SYSLOG=false

Resolving The Problem

Follow these steps to enable RFC 5424 event processing:
  1. SSH to the QRadar console as the root user.
  2. Run this command to create a backup direction in case it doesn't exist:
    mkdir -p /store/IBM_Support
  3. Run the following command to create backup of the files:
    cp /opt/qradar/conf/nva.conf /store/IBM_Support/nva.conf
    cp /store/configservices/staging/globalconfig/nva.conf /store/IBM_Support/Staging_nva.conf
  4. Open to edit the nva.conf file in /opt/qradar/conf/nva.conf to change the value for RFC5424SYSLOG from false to true.
    Example of the RFC5424SYSLOG value changed to true:
    cat /opt/qradar/conf/nva.conf | grep -i RFC
    RFC5424SYSLOG=true
    Repeat the process with the the file nva.conf in /store/configservices/staging/globalconfig/nva.conf.
  5. Deploy the changes.
  6. Optional: To verify what QRadar is extracting as the log sourced identifier, open the event in the Log Activity, then search for the Log Source Identifier field, there you can see what QRadar extracted as the log source identifier:
    image-20240223135854-1

    Result:
    For RFC 5424 complaint events, QRadar extracts the log source identifier from the hostname field in the syslog header and not from the network IP address. 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
23 February 2024

UID

ibm17120763