IBM Support

QRadar: Routing Rule to forward events not working when adding multiple filters

Troubleshooting


Problem

When configuring a routing rule to forward events by adding multiple options of the same type of filters QRadar® does not send events to the forwarded destination. An example of these filters are Source or Destination IP, Destination IP, Log Source Group, or Log Source.

Symptom

  • Events are not sent to the third party forwarded destination.
  • If you configure only one filter, the routing rule works for that one filter.

Cause

The cause is related to the logic QRadar uses when you enter a filter and its operator such as  Equals or Does not Equal. If you choose the wrong operator, a situation where the events do not match the filter might be created.

Diagnosing The Problem

Administrators can test if the rule is forwarding by using tcpdump. The use of tcpdump with options such the destination IP and port, results in  events not forwarding payloads from QRadar. For example, use the command:
  tcpdump -nnAs0 -i any dst host <dst_IP_add> and port <port_used>
Where the dst_IP_Add is the Destination IP address and port_used is the port used to forward payload information. You might be using the operator "Equals":

image 5648

Resolving The Problem

If you use the operator "Equals" to add multiple values, you are telling QRadar the events you are trying to match have two Source IP address or two Groups, which it is not possible. The matching condition is an AND situation and QRadar ignores those events. The correct configuration is to use the operator "Equals any of".
 
image 5668
The "Equals any of" operator instructs QRadar to use an OR logic, where events could contain one IP address or multiple IP addresses.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS004071694","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
12 November 2020

UID

ibm16320385

Page Feedback