Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Undocumented Protocols

 

As an open platform, QRadar collects and processes event data through various integration methods (protocol types). You can configure some protocol types for a particular log source type that is marked as undocumented. Juniper doesn't support these undocumented protocols because they are not internally tested or documented in the Configuring DSM’s Guide. You are responsible for determining how to get the event data into QRadar.

Documented Protocols

The Configuring DSM’s Guide describes how to configure log sources of a particular type, with each of the protocol types that Juniper fully supports for that log source type. Any protocol type that has configuration documentation for a particular log source type is considered a documented protocol for that log source type. Documented protocols are internally tested.

Example Of Potential Issues with Undocumented Protocols

For example, the JDBC protocol is the documented configuration for obtaining events from a system that stores its event data in a database. You can also collect the same event data through a third-party product and then forward it to QRadar by using the syslog protocol type. Because the syslog protocol type is undocumented, you're responsible for configuring the third-party product to retrieve the event data from the database and to send it to QRadar.

Note

If you collect and process event data through undocumented protocols, your data might format differently from what a documented DSM log source type expects. Parsing might not work for the DSM if it receives events from an undocumented protocol. For example, a JDBC protocol creates event payloads that consist of a series of space-separated key and value pairs. In the target database table, the key is a column name and the value is the column for the table row that the event represents. The DSM for a supported log source type that uses the JDBC protocol expects this event format. If the event data forwarded from a third-party product through the syslog protocol is in a different format, the DSM is unable to parse it. Use the DSM Editor to adjust the DSM parsing so that it can handle these events.