Troubleshooting
Problem
How do I determine the event that is causing the system notification message "Unable to determine associated log source" (QID 38750007)
Symptom
Tip: SIEM administrators can run a search for the system notification QID 38750007 - for example as a weekly audit to determine what new event sources might need manual log sources or a DSM Editor updates.
System notifications are all outlined as part of the QRadar system notifications guide.
- Procedure
To complete a search for the event that triggered this warning.- Log in to the QRadar Console.
- From the navigation bar, click the bell icon for notifications.
- Hover over the Unable to determine associated log source for IP address system notification for the details of the event.
- The highlighted IP address is the address for the event source, which an administrator would use in their investigation of why the log source was unable to parse.
Cause
Traffic Analysis is the tool QRadar® uses to auto-discover log sources based on the event data being sent to QRadar. Traffic analysis is designed to auto-discover a wide number of log source types as defined in the DSM Configuration Guide. However, there are some instances where Traffic Analysis fails to auto-discover a log source from the event data.
- Log Sources that do not auto-discover by design. These log sources must be manually added. For more information, see the appendix of the DSM Configuration Guide.
- Events coming from a known log source are being truncated. When a payload is truncated, the spillover payload is created as a new event. Traffic analysis sees the "spillover" as a new event type due to the strange format.
By default, QRadar supports TCP payloads at 4096 bytes and UDP Syslog payloads for 1024 bytes. Administrators can change the Max TCP Syslog Payload Length in the advanced field of the QRadar system settings to ensure that payloads are not truncated. - Deploys or services restart. If the DSMs are not reloaded in time of Traffic Analysis starting, then Traffic Analysis might be unable to determine the type of Log Source.
To summarize the meaning of the message:
A payload with a Log Source Identifier of [ip.ip.ip.ip] went into Traffic Analysis. Traffic analysis was not able to determine which log source type the logs were, so it stopped auto-discovering that identifier until the next time, when service ecs-ec is restarted, which usually happens at a Deploy.
A payload with a Log Source Identifier of [ip.ip.ip.ip] went into Traffic Analysis. Traffic analysis was not able to determine which log source type the logs were, so it stopped auto-discovering that identifier until the next time, when service ecs-ec is restarted, which usually happens at a Deploy.
Diagnosing The Problem
To diagnose the issue, you can try two things:
- In Log Activity, add a filter to search for Log Source Identifier = [ip.ip.ip.ip]".
- In Log Activity, add a filter to search for SourceIP = same [ip.ip.ip.ip].
These two searches might help you to find what events potentially prompted the system notification.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
24 June 2022
UID
ibm16586500