Hi I have a new Log Source that ends up in the Default Domain (Firesight Management Center)
In my setup I have included specific Log Source Groups into the specific Domain, and added the Log Source into the corresponding Log Source Groups. I have even tested to add the Log Source implicitly in the Domain Management settings, with no luck.
I struggle to debug this, I don't understand why the domain separation does not work in this case. I have the same setup for other Log Sources, and they end up in the proper Domain.
I would appropriate any pointers.
Thanks, Terje
Answer by JonathanP_QRadar (1366) | Sep 07, 2018 at 10:26 AM
Two things to confirm/try:
1. Can you include your QRadar version?
2. Can you try adding the log source itself directly to the domain to see if it resolves the issue?
I was talking with someone about this recently as we are tracking an issue when a Log Source Group is added to a domain that individual log sources in the group or a sub-group might not get picked up properly by the domain association. As we process event data, log source groups are evaluated and meta data containing the domain tag is added to the event when we parse the data behind the scenes, but some of the group associations are not picked up properly. This is why I think you are seeing this issue only on a specific log source type. I believe the work around for this is to temporarily add your Firesight Mgmt Center log source to the domain while we work on this issue to confirm or if we need to investigate further.
Also, if this were my system I would definitely also open a ticket to get your customer number added to this issue for verification purposes. I believe that you are hitting issue 180055 <-- give that number to the support rep after you verified that adding the log source directly resolves the issue. They can use this info to prove out the problem or just add your name to link you to the issue.
I think there is an APAR pending for this issue, but I am going to follow-up and verify the APAR status. Since there is no APAR yet, I gave you the direct issue number that should help the investigation move along. I do know that this is a pending 7.3.1 update as this was reported by another user. However, without your version info it is hard to confirm, but what you described and what they reported sounds very similar.
Feel free to reference this forum post in your case and the support rep can ping me if they have questions. If you are on 7.3.1, I believe this is known/reported. However, let me know if you have follow-up questions.
~ Jonathan
Answer by TerjeOlsen (5) | Sep 11, 2018 at 03:23 AM
Hi Jonathan
Thank you for your reply, my 7.3.1 system behaves exactly as you indicated. We added the Log Source directly into the Domain, and now the Log Source is part of the Domain.
I'll open a ticket with support
KR Terje Olsen
Announcement: QVM Externally Hosted Scans (March 1st - power outtage) 0 Answers
How to get notes which entered an offense with using API? 1 Answer
Top Rules API 0 Answers
How do I get the correspoinding SourceIPs, DestinationIPs and Users from an Offense via API? 2 Answers
How can I make QRadar to execute a script when a new offense is generated? (PUSH) 2 Answers