Question & Answer
Question
What are some of the current limitations of log source extensions in QRadar?
Answer
The following limitations apply to QRadar version 7.1.x and 7.2.x log source extensions:
- A log source extension is unable to 'change' or substitute the event name of an event. The event name is one field that cannot be changed. The matched field can be mapped to another attribute, but the actual event name cannot be changed.
- Log source extensions cannot properly process multiline events. QRadar is designed to interpret single line events.
However, there are protocols that can read multiline events, such as the TCP Multiline Syslog protocol or the UDP Multiline Syslog protocol for streaming events. If you are using the Log File Protocol, there are event generators that can be used to process multiline events from a flat file, such as ID-Linked Multiline or Regex Based Multiline.
If none of these options work for you, then your multiline logs may require some pre-processing make the files single line format, which can then be parsed by the log source extension. For example using a tool such as xml2csv for making the multiple lines into a single easy to parse line. - You cannot force a log source extension (LSX) to set or alter the Start Time or Storage Time. The only time value that the LSX can modify is the log source time (DeviceTime in the LSX ).
- You cannot use variables, such as $1 or $2 in a log source extension.
Related Information
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
02 April 2020
UID
swg21672049