IBM Support

QRadar: Map Event button is grayed out in Log Activity

Troubleshooting


Problem

It might be noticed that the "Map Event" button is grayed out and you are unable to map events.

Symptom

The Map Event button is visible, but greyed out.
image 5250

Cause

Possible causes include:
  • The event in question is being routed to storage because it was not parsed properly as shown in the screen capture. The event was not parsed by the Linux® OS DSM, it just came from the same host or IP. This is common for Linux OS due to the variability in Unix services that can make it into the Linux OS Syslog stream. When the DSM is unable to parse the event, the Event-ID and Event-Category attributes are not parsed for the event. Those two fields are what we use to perform the QID map lookup. If there are no event keys, there is no ability to map the event.
  • If the log source in question is an internal type (SIM Audit, SIM Notification, etc...); you cannot remap internal events, this is not supported.
  • Log Source types other than Linux can cause the map event button to be greyed out because they are routed to storage and not parsed.

Environment

QRadar® 7.3.3 and 7.4.x

Diagnosing The Problem

Resolving The Problem

In order to map any events we have to do following things:

  1. Open the unknown events in DSM Editor.
  2. Write a Regex to capture Event Category and Event ID.
  3. Based on Event Category and Event ID you can create an Event name.
  4. You can capture other fields per your requirements.
  5. After capturing the fields, click Event Mappings to create an Event name and QID.
  6. Click the Plus "+" button.
  7. Click Choose QID.
  8. Provide a High-Level Category and Low-Level Category per your requirement.
  9. Type in a QID number or part of an event name.
  10. Click Search.
  11. Select the event name you want and click OK.
  12. Give the Event ID and the Event Category for the event you want to map. Make sure these are the same as you have captured with your Regex in Step 2.
  13. Save the changes, and verify in Log Activity.

Result

You will be able to map events utilizing a different method, even if the Map Events button is greyed out.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS003866731","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.3;7.4.0"}]

Document Information

Modified date:
25 September 2020

UID

ibm16253265

Page Feedback