IBM Support

QRadar: Undocumented protocol cases and support policies

Question & Answer


Question

This article informs administrators about QRadar® Support policies. QRadar Support assists administrators to investigate and correct software defects related to undocumented protocols or log source configurations where users deviate from the DSM Configuration Guide. This document outlines out-of-scope work for undocumented protocol cases and the responsibilities of the QRadar administrator. 

Answer

Responsibilities for undocumented protocols

The QRadar® DSM Configuration Guide outlines supported protocols to collect event data for hundreds of security products. IBM QRadar Support team does not take cases related to undocumented protocols as the configurations are not internally tested or documented. If you use an undocumented protocol to collect and process events, your data might display or be formatted differently from what a documented DSM Log Source type expects. Parsing might not work for the DSM if it receives events from an undocumented protocol.

Support type Description Responsibility
Undocumented protocol assistance and error support
Administrators can use QRadar technical support to confirm the protocol is functional for the documented products as outlined in the DSM Configuration Guide.
 
Example:
  • Support can take cases to confirm or explain protocol errors in QRadar logs.
  • Support can confirm network issues and verify that the protocol, when used in a supported manner can connect to an event source.
  • Verify that the protocol is working as designed.
  • Assist with explaining IBM's Request for Enhancement. Support can explain how users can open a feature request to add protocol support to a DSM when users feel a protocol lacks common functionality.
  • Confirm the supported protocol information in the documentation is correct. For more information, see the Protocol column in the QRadar Supported DSMs table.
    image 10397
 QRadar technical support

To open a case or report an undocumented Log Source error, contact QRadar technical support
Out-of-scope for QRadar Support
Administrators are responsible their undocumented protocol configurations. QRadar Support reserves the right to close cases where DSM Configurations use undocumented protocols.

The following activities are considered out-of-scope for technical support:
  1. IBM does not offer support with the configuration of Log Sources that use undocumented protocols as these configurations are not internally tested or documented. This includes DSM Editor customization or overrides for data retrieved using an unsupported protocol. 
  2. IBM does not write test functionality in the Log Source Management app for undocumented protocols. Test functionality might behave unexpectedly or fail when the protocol type differs from the documentation.
  3. Beyond confirmation of correct protocol behavior, IBM Security cannot support undocumented methods of event or flow collection. For more information, see QRadar Supported DSMs.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
08 June 2021

UID

ibm16427761

Page Feedback