Question & Answer
Question
How do you verify the version and export events for QRadar DSMs parsing issues?
Answer
Instructions for verifying the DSM version:
Instructions for exporting DSM events:
- Using SSH, log in to the QRadar Console as the root user.
- To find the installed version, type:
rpm -qa | grep -i nameofDSM
- This version information can be compared to what is posted on IBM Fix Central, but should also be included in your support request.
Instructions for exporting DSM events:
- Click the Log Activity tab.
- Click Add Filter.
- Select Log Source > Equals > Name of the log source with the parsing issue.
Note: If your log source is not assigned to a group yet, select Other, which displays all ungrouped log sources. - Click Add Filter.
You are returned to the Log Activity tab, which displays events that are filtered by the log source you selected. - Click the View drop-down and select a time interval. For example, 6 hours.
- Review the filtered events to ensure that it contains your issue or concern.
- From the navigation menu, select Actions > Export to XML > Full Export (All Columns).
Note: XML is the required format for event reviews. - Attach the XML event export and provide an explanation of the events that appear to be parsing incorrectly in the description of your service request. Also include:
- What Log Source is having the issue?
- When did this issue start?
- What changes to QRadar and the environment were made before the issue started?
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtSAAQ","label":"DSM Editor"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
15 August 2023
UID
swg21990784