How to fix parsing issues in QRadar without technical support

[post-views]
July 27, 2017 · 2 min read
How to fix parsing issues in QRadar without technical support

All QRadar products can be divided into two groups: versions before 7.2.8 and all newest versions.
In 7.2.8+ QRadar versions, all parsing changes are performed from the WEB console.
To fix a parsing issue, you need to do the following steps:

  • Create Search on Log Activity page in QRadar where you can get events with parsing problems.

  • Select an event that requires a change of parsing using CTRL or SHIFT. Go to Action – DSM Editor in the menu.

  • Find or select a property for which you want a parsing change. Select Override System behavior at Property Configuration. In Regex field, it is necessary to write a regular expression that describes the required field. If you do everything right, you will see the text, highlighted in yellow in the logs. The example below:

  • Click Save. Check the logs for parsing errors. If errors are present, repeat the procedure again.

In previous versions of QRadar this procedure is slightly different:

  • You need to create a *.LSX file.
    The file has structure. You need to map field property with regex.
    The Full file structure is below:

  • In ‘pattern id’ fields, you need to add regex that describes the fields in logs in ’DATA’ place.
  • After creations are finished, you need to add a parser to QRadar console. Go to Admin tab – Log Source Extensions.

  • Add parser, as shown in the screenshot below.

  • Go to Admin – Log Sources page. Edit Log source that needs to add parser.

  • Click Save. Check the logs for parsing errors. If errors are present, repeat the procedure again.

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts