IBM Support

QRadar: Unknown log events which have IPv4 or IPv6 in the syslog header that would be associated with the SIM Generic logsource are being dropped

News


Abstract

QRadar® SIEM development has identified a known issue where unknown log events which have IPv4 or IPv6 in the syslog header that would be associated with the SIM Generic logsource are being dropped. This technote allows administrators to identify and remediate the issue.

Content

Technical note updates



Urgency

Critical: On January 30, 2025 an issue was identified where unknown log events with an IPv4 or IPv6 address in the syslog header are not being associated with the SIM Generic logsource. These events are being dropped. The affected DSM is DSM-SIMGenericLog-7.5-20241220124142.noarch.rpm. An unknown event is an event which cannot be mapped or categorized to a specific log source.
 
Notice: An updated SIM Generic DSM is available to resolve the dropped events issue for all users. Administrators can download the latest version of SIM Generic to the Console appliance from IBM Fix Central: SIMGenericLog-7.5-20250130145444.noarch.rpm.
 

Resolution

An new AutoUpdate bundle has been made available on IBM FixCentral with the updated RPM - QRADAR-QRAUTO-1738767700 


Affected products

QRadar SIEM Software installations at 7.5.0 any Update Package.
 

Am I affected?

Administrators can use this procedure to confirm the current version of SIM Generic installed on their Console. 

Procedure 
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Type the following command: 
    rpm -qa | grep DSM-SIMGenericLog
    Example output 
    DSM-SIMGenericLog-7.5-20241220124142.noarch
  3. Review the output to determine if you have the affected package installed on QRadar.

    Results
    If the output is DSM-SIMGenericLog-7.5-20241220124142.noarch follow the Workaround section below to update the SIM Generic RPM to the latest released version that resolves this reported issue.
     

Workaround


Procedure 
  1. Download the latest SIM Generic RPM from IBM Fix Central: SIMGenericLog-7.5-20250130145444.noarch.rpm
    The abstract for this RPM update describes that the version 20250130145444 resolves an issue where unparsed events sent to SIM Generic DSM could be dropped.
  2. Copy the RPM to the /store/tmp directory on the QRadar Console.
  3. Use SSH to log in to the QRadar Console as the root user.
  4. Navigate to the /store/tmp directory.
  5. Type the following command:
    yum -y install DSM-SIMGenericLog-7.5-20250130145444.noarch.rpm
  6. Wait for the RPM installation to complete on the Console.
  7. Login to the QRadar UI and perform a Deploy Configuration from the Admin tab
Results
After the deploy completes, users can confirm the SIM Generic RPM is installed with the rpm -qa command as described in this technical note. If you continue to experience issues or have questions, contact QRadar Support.
 

We apologize for any inconvenience due to this issue.

- QRadar Support

Related Information

QRadar: Troubleshooting DSMs



[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Document Information

More support for:
IBM Security QRadar SIEM

Component:
Upgrade

Software version:
7.5.0

Operating system(s):
Linux

Document number:
7182076

Modified date:
11 February 2025

UID

ibm17182076

Manage My Notification Subscriptions

Page Feedback