Undocumented protocols

When you configure a log source, the set of available protocol type options is limited by the selected log source type. Not all log source types support all protocol types.

The DSM Configuration Guide describes how to configure log sources of a particular type, with each of the protocol types that IBM® fully supports for that log source type. Any protocol type that has configuration documentation for a particular log source type is considered a "documented" protocol for that log source type. By default, only these documented protocols are displayed in the Protocol Configuration list in the Log Sources window.

As an open platform, QRadar® collects and processes event data through other integration methods (protocol types). Some protocol types can be configured for a particular log source type but are marked as undocumented. However, the DSM Configuration Guide doesn't contain instructions on how to set up event collection for undocumented protocols. IBM does not provide support with the configuration of log sources that use undocumented protocols because they are not internally tested and documented. Users are responsible for determining how to get the event data into QRadar.

For example, the JDBC protocol is the documented configuration for getting events from a system that stores its event data in a database. However, it is possible to collect the same event data through a third-party product and then forward it to QRadar through Syslog. Configure the log source to use the undocumented protocol type "Syslog". QRadar accepts the events and routes them to the appropriate log source.

You must configure the third-party product to retrieve the event data from the database and to send this data to QRadar through Syslog because this configuration is not the documented collection method.

Important: Collecting and processing event data through undocumented protocols might result in data that is formatted differently from what a documented DSM log source type expects. As a result, parsing might not work for the DSM if it’s receiving events from an undocumented protocol. For example, a JDBC protocol creates event payloads that consist of a series of space-separated key and value pairs. In the target database table, the key is a column name and the value is the column for the table row that the event represents. The DSM for a supported log source type that uses the JDBC protocol expects this event format. If the event data forwarded from a third-party product through the syslog protocol is in a different format, the DSM is unable to parse it. It might be necessary to use the DSM Editor to adjust the parsing of a DSM so that it can handle these events.