Question & Answer
Question
Why do I need to set the Parsing Order on Log Sources?
Cause
When two or more Log Sources are created with the same identifier, the first Log Source in the parsing order takes precedence. Events that are not parsed by the first Log Source will be passed to the next Log Source in the Parsing order. The first Log Source in the parsing order is the catch all for unknown events that complete the list without parsing.
If one of the Log Sources is a custom DSM (uDSM) and that log source is first, then the events all go to the uDSM. The other Log Sources in the parsing order do not get any events.
Answer
A best practice is to use the correct Log Source as the first Log Source Type to parse.
In the example, we have a Linux Server log source in the first position in the parsing order. This order is correct because Linux Server is the correct type for the logs from this log source identifier.
Results: We have an efficient method or parsing different Log Source Types for one Log Source.
For more information look at this Knowledge Center article Introduction to log source management
Note: Sending events through larger DSMs (such as Linux OS or Microsoft Windows Security Event Log) that do not match that DSM can have a significant impact on parsing performance. In such cases, it is recommended to put the more expensive DSM at the bottom of the parsing order.
Read QRadar: How to find non-Linux OS events getting into Linux log sources for more background on identifying and tuning around this configuration.
Was this topic helpful?
Document Information
Modified date:
23 October 2024
UID
swg22002566