Troubleshooting
Problem
After successfully configuring third-party systems to send events into QRadar, the events come in as "Unknown". The events come in under the SIM Generic log source and not the correct log source. The events are unmapped and unparsed.
Cause
The traffic analysis engine is unable to match the incoming events to a log source based on the log source identifiers available.
Diagnosing The Problem
There are two ways of diagnosing when this problem is affecting a QRadar deployment.
- There are events under SIM Generic that are labeled as "Unknown log activity."
- There are system notifications for "Unable to determine associated log source"
Resolving The Problem
To resolve the problem, the correct log source identifier needs to be established and added to the log source.
- Find the unknown events under SIM generic.
- Open the payload, and scroll to the "Additional Information" section, note the field Log Source Identifier it contains a string or IP address.
- Using the Log Source Identifier found under the "Additional Information" section, replace the log source identifier through the Log Source Management app.
Results
The events no longer come in as Unknown, and instead come under their log source.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
04 April 2023
UID
ibm16593551