Question & Answer
Question
What information is to be shared with support when the parsing issue is observed?
Answer
For "Unknown" events
The events that are collected and parsed however cannot be mapped or categorized to a specific log source are set as Unknown. Both event name and low-level category are shown as "Unknown".
Share the following information to review the issue:
- get_logs of console
- Entire log source configuration screenshots for the affected log source
- Full export XML of "Unknown" events
- End device version
You need to contact the device team to get the device versions. A new version sends out new sorts of events that QRadar is unable to parse. As a result, it is essential to recognise the device version with which we are integrating IBM QRadar.
For "Stored" events
When an event cannot be parsed, QRadar stores it on disk and classifies it as Stored.
Share the following information to review the issue:
- get_logs of console and managed host
- Entire log source configuration screenshots for the affected log source
- Full export XML of "Stored" events
- End device version
You need to contact the device team to get the device versions. - Take the screenshot of "Stored For Performance" & "Truncated" as mentioned.
Go to "log activity tab -> search for stored events -> double click the event -> Scroll down to 'Additional Information' -> Stored For Performance"
This data ensures, if the events are truncated and the log source identity provided in the log source configuration is accurate.
For "Unknown" and "Stored" events
Sometimes the log source displays "unknown" as well as "stored" events when DSM is unable to parse some of the events and for few events, QID is unavailable.
Share the following information to review the issue:
- get_logs of console and managed host
- Entire log source configuration screenshots
- Separate "Full export XML" of "unknown" and "stored" events each
- End device version
You need to contact the device team to get the device versions
For "SIM-Generic Unknown" events
When events are sent from an undetected or unrecognized device, the traffic analysis component needs a minimum of 25 events to identify a log source.
If the log source is not identified after 1,000 events, the system abandons the automatic discovery process and generates the system notification. The system then categorizes the log source as SIM Generic and labels the events as Unknown Event Log
- get_logs of console
- Notification screenshot. "Unable to automatically detect the associated log source for IP address <IP address>"
- Full export XML of "SIM Generic Unknown" events
- End device name and version
- Take the screenshot of "Log Source Identifier" & "Truncated" as mentioned.
Go to "LogActivity -> Apply filter "Log Source is SIM Generic Log DSM-7 :: xxxxx" -> search for the SIM-Generic event -> Open the event -> Scroll down to 'Additional Information' -> Log Source Identifier"
This data ensures, if the events are truncated and the log source identity provided in the log source configuration is accurate.
If you come across a problem related to the parsing with your DSM, you can troubleshoot using this link.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV234","label":"IBM Security QRadar SIEM Console 31xx"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
16 November 2023
UID
ibm17015757