Question & Answer
Question
Why is there a number in front of events forward from QRadar EDR (formerly ReaQta)? Events are prefixed with a number like so:
4266 {"id":"885873017052213250","localId":"885872997599021058","endpointId":"885857527403642880","triggerCondition":6,"endpoint":{"id":"885857527403642880","machineId":"eba24ff6f42f32e7b693b2aad82476c3612d934b08d0999ff0520a91d2871a45","osType":1,"cpuVendor":1,"arch":2,"cpuDescr":"Intel(R) Xeon(R) CPU X5650 @ 2.67GHz","kernel":"10.0","os":"Windows 10 Pro","name":"\","state":1,"registrationTime":"2022-07-14T13:21:32.973Z","agentVersion":"3.6.1","componentsVersions":[{"name":"keeper","version":"3.6.0","build":"19.1627291555548.commit"},{"name":"probos","version":"3.5.0","build":"3.5.0"},{"name":"rqtsentry","version":"3.6.1","build":"119.1632119719010.commit"},{"name":"rqtnetsentry","version":"3.6.0","build":"44.1627295520120.commit"},..... <Event continues on>
4266 {"id":"885873017052213250","localId":"885872997599021058","endpointId":"885857527403642880","triggerCondition":6,"endpoint":{"id":"885857527403642880","machineId":"eba24ff6f42f32e7b693b2aad82476c3612d934b08d0999ff0520a91d2871a45","osType":1,"cpuVendor":1,"arch":2,"cpuDescr":"Intel(R) Xeon(R) CPU X5650 @ 2.67GHz","kernel":"10.0","os":"Windows 10 Pro","name":"\","state":1,"registrationTime":"2022-07-14T13:21:32.973Z","agentVersion":"3.6.1","componentsVersions":[{"name":"keeper","version":"3.6.0","build":"19.1627291555548.commit"},{"name":"probos","version":"3.5.0","build":"3.5.0"},{"name":"rqtsentry","version":"3.6.1","build":"119.1632119719010.commit"},{"name":"rqtnetsentry","version":"3.6.0","build":"44.1627295520120.commit"},..... <Event continues on>
Cause
Events forwarded by TCP protocol from ReaQta include a length prefix that indicates the length of the following message. This format is known as length-prefixed strings is common for use with TCP messages in standards such as RFC5425 to indicate to receiving servers the exact length of the message before transmission.
Answer
This number exists by default in ReaQta for messages sent over TCP protocol, and is not included with UDP. If the number is not wanted for whatever reason, consider configuring the forwarder to use UDP instead of TCP.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSeAAM","label":"Configuration-\u003EHive"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Product Synonym
ReaQta
Was this topic helpful?
Document Information
Modified date:
16 May 2023
UID
ibm16837865