• United States
IBM?
  • Site map
IBM?
  • Marketplace

  • Close
    Search
  • Sign in
    • Sign in
    • Register
  • IBM Navigation
IBM Developer Answers
  • Spaces
    • Blockchain
    • IBM Cloud platform
    • Internet of Things
    • Predictive Analytics
    • Watson
    • See all spaces
  • Tags
  • Users
  • Badges
  • FAQ
  • Help
Close

Name

Community

  • Learn
  • Develop
  • Connect

Discover IBM

  • ConnectMarketplace
  • Products
  • Services
  • Industries
  • Careers
  • Partners
  • Support
10.190.13.206

Refine your search by using the following advanced search options.

Criteria Usage
Questions with keyword1 or keyword2 keyword1 keyword2
Questions with a mandatory word, e.g. keyword2 keyword1 +keyword2
Questions excluding a word, e.g. keyword2 keyword1 -keyword2
Questions with keyword(s) and a specific tag keyword1 [tag1]
Questions with keyword(s) and either of two or more specific tags keyword1 [tag1] [tag2]
To search for all posts by a user or all posts with a specific tag, start typing and choose from the suggestion list. Do not use a plus or minus sign with a tag, e.g., +[tag1].
  • Ask a question

QRadar Log Source ends up in incorrect Domain

50GV61SUCQ gravatar image
Question by TerjeOlsen  (5) | Sep 07, 2018 at 08:55 AM qradarhowdomainoffenseslogsourcenotes

Hi I have a new Log Source that ends up in the Default Domain (Firesight Management Center)

In my setup I have included specific Log Source Groups into the specific Domain, and added the Log Source into the corresponding Log Source Groups. I have even tested to add the Log Source implicitly in the Domain Management settings, with no luck.

I struggle to debug this, I don't understand why the domain separation does not work in this case. I have the same setup for other Log Sources, and they end up in the proper Domain.

I would appropriate any pointers.

Thanks, Terje

People who like this

  0
Comment
10 |3000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster

2 answers

  • Sort: 
50566P887Q gravatar image
Accepted answer

Answer by JonathanP_QRadar (1366) | Sep 07, 2018 at 10:26 AM

@TerjeOlsen

Two things to confirm/try:
1. Can you include your QRadar version?
2. Can you try adding the log source itself directly to the domain to see if it resolves the issue?

I was talking with someone about this recently as we are tracking an issue when a Log Source Group is added to a domain that individual log sources in the group or a sub-group might not get picked up properly by the domain association. As we process event data, log source groups are evaluated and meta data containing the domain tag is added to the event when we parse the data behind the scenes, but some of the group associations are not picked up properly. This is why I think you are seeing this issue only on a specific log source type. I believe the work around for this is to temporarily add your Firesight Mgmt Center log source to the domain while we work on this issue to confirm or if we need to investigate further.

Also, if this were my system I would definitely also open a ticket to get your customer number added to this issue for verification purposes. I believe that you are hitting issue 180055 <-- give that number to the support rep after you verified that adding the log source directly resolves the issue. They can use this info to prove out the problem or just add your name to link you to the issue.

I think there is an APAR pending for this issue, but I am going to follow-up and verify the APAR status. Since there is no APAR yet, I gave you the direct issue number that should help the investigation move along. I do know that this is a pending 7.3.1 update as this was reported by another user. However, without your version info it is hard to confirm, but what you described and what they reported sounds very similar.

Feel free to reference this forum post in your case and the support rep can ping me if they have questions. If you are on 7.3.1, I believe this is known/reported. However, let me know if you have follow-up questions.

~ Jonathan

Comment

People who like this

  0   Share
10 |3000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
50GV61SUCQ gravatar image

Answer by TerjeOlsen (5) | Sep 11, 2018 at 03:23 AM

Hi Jonathan

Thank you for your reply, my 7.3.1 system behaves exactly as you indicated. We added the Log Source directly into the Domain, and now the Log Source is part of the Domain.

I'll open a ticket with support

KR Terje Olsen

Comment

People who like this

  0   Share
10 |3000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster

Follow this question

150 people are following this question.

Answers

Answers & comments

Related questions

Announcement: QVM Externally Hosted Scans (March 1st - power outtage) 0 Answers

How to get notes which entered an offense with using API? 1 Answer

Top Rules API 0 Answers

How do I get the correspoinding SourceIPs, DestinationIPs and Users from an Offense via API? 2 Answers

How can I make QRadar to execute a script when a new offense is generated? (PUSH) 2 Answers

  • Contact
  • Privacy
  • IBM Developer Terms of use
  • Accessibility
  • Report Abuse
  • Cookie Preferences

Powered by AnswerHub

Authentication check. Please ignore.
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Spaces
  • API Connect
  • Analytic Hybrid Cloud Core
  • Application Performance Management
  • Appsecdev
  • BPM
  • Blockchain
  • Business Transaction Intelligence
  • CAPI
  • CAPI SNAP
  • CICS
  • Cloud Analytics
  • Cloud Automation
  • Cloud Object Storage
  • Cloud marketplace
  • Collaboration
  • Content Services (ECM)
  • Continuous Testing
  • Courses
  • Customer Experience Analytics
  • DB2 LUW
  • DataPower
  • Decision Optimization
  • DevOps Services
  • Developers IBM MX
  • Digital Commerce
  • Digital Experience
  • Finance
  • Global Entrepreneur Program
  • Hadoop
  • Hybrid Cloud Core
  • IBM Cloud platform
  • IBM Design
  • IBM Forms Experience Builder
  • IBM Maximo Developer
  • IBM StoredIQ
  • IBM StoredIQ-Cartridges
  • IIDR
  • ITOA
  • InformationServer
  • Integration Bus
  • Internet of Things
  • Kenexa
  • Linux on Power
  • LinuxONE
  • MDM
  • Mainframe
  • Messaging
  • Node.js
  • ODM
  • Open
  • PowerAI
  • PowerVC
  • Predictive Analytics
  • Product Insights
  • PureData for Analytics
  • Push
  • QRadar App Development
  • Run Book Automation
  • Search Insights
  • Security Core
  • Storage
  • Storage Core
  • Streamsdev
  • Supply Chain Business Network
  • Supply Chain Insights
  • Swift
  • UBX Capture
  • Universal Behavior Exchange
  • UrbanCode
  • WASdev
  • WSRR
  • Watson
  • Watson Campaign Automation
  • Watson Content Hub
  • Watson Marketing Insights
  • dW Answers Help
  • dW Premium
  • developerWorks Sandbox
  • developerWorks Team
  • Watson Health
  • More
  • Tags
  • Questions
  • Users
  • Badges