Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Log and Log Source Notifications for JSA Appliances

 

An Error Occurred When the Log Files Were Collected

38750141 - Collecting the required support logs failed with errors. See System and License Manager.

Explanation

Errors were encountered while the log files were being collected. The log file collection failed.

User Response

To view information about why the collection failed, follow these steps:

  1. Click System and License Manager in the notification message.

  2. Expand System Support Activities Messages.

  3. View additional information about why the log file collection failed.

Expensive DSM Extensions were Found

38750143 - Performance degradation was detected in the event pipeline. Expensive DSM extensions were found.

Explanation

A log source extension is an XML file that includes all of the regular expression patterns that are required to identify and categorize events from the event payload. Log source extensions might be referred to as device extensions in error logs and some system notifications.

During normal processing, log source extensions run in the event pipeline. The values are immediately available to the custom rules engine (CRE) and are stored on disk.

Improperly formed regular expressions (regex) can cause events to be routed directly to storage.

User Response

Select one of the following options:

  • Disable any DSM extension that was recently installed.

  • Review the payload of the notification to determine which expensive DSM extension in the pipeline affects performance. If possible, improve the regex statements that are associated with the device extension.

    For example, the following payload reports that the pipeline is blocked by the Checkpoint DSM:

  • Ensure that the log source extension is applied only to the correct log sources.

    On the Admin tab, click System Configuration > Data Sources > Log Sources. Select each log source and click Edit to verify the log source details.

  • Order your log source parsers from the log sources with the most sent events to the least and disable unused parsers.

  • Verify that your Console is installed with the latest DSM versions.

  • If log sources are created for devices that aren’t in your environment, remove the log sources by using the following command:

    /opt/qradar/bin/tatoggle.pl

    If you have multiple event processors, copy the /opt/qradar/conf/TrafficAnalysisConfig.xml file to the /store/configservices/staging/globalconfig/ directory. On the Admin tab, click Deploy Full Configuration for all managed hosts to obtain the configuration file.

Log Files Were Successfully Collected

38750142 - The required support logs have been successfully collected. See System and License Manager.

Explanation

The log files were successfully collected.

User Response

To download the log file collection, follow these steps:

  1. Click System and License Manager in the notification message.

  2. Expand System Support Activities Messages.

  3. Click Click here to download file.

Log Source Created in a Disabled State

38750071 - A Log Source has been created in the disabled state due to license limits.

Explanation

Traffic analysis is a process that automatically discovers and creates log sources from events. If you are at your current log source license limit, the traffic analysis process might create the log source in the disabled state. Disabled log sources do not collect events and do not count in your log source limit.

User Response

Review the following options:

  • On the Admin tab, click the Log Sources icon and disable or delete low priority log sources. Disabled log sources do not count towards your log source license.

  • Ensure that deleted log sources do not automatically rediscover. You can disable the log source to prevent automatic discovery.

  • Ensure that you do not exceed your license limit when you add log sources in bulk.

  • If you require an expanded license to include more log sources, contact your sales representative.

Unable to Determine Associated Log Source

38750007 - Unable to automatically detect the associated log source for IP address <IP address>. Unable to automatically detect the associated log source for IP address.

Explanation

When events are sent from an undetected or unrecognized device, the traffic analysis component needs a minimum of 25 events to identify a log source.

If the log source is not identified after 1,000 events, the system abandons the automatic discovery process and generates the system notification. The system then categorizes the log source as SIM Generic and labels the events as Unknown Event Log.

User Response

Review the following options:

  • Review the IP address in the system notification to identify the log source.

  • Review the Log Activity tab to determine the appliance type from the IP address in the notification message and then manually create a log source.

    Ensure that the Log Source Identifier field matches the host name in the original payload syslog header. Verify that the events are appearing on the device by deploying the changes and searching on the manually created log source.

  • Review any log sources that forward events at a low rate. Log sources that have low event rates commonly cause this notification.

  • To properly parse events for your system, ensure that automatic update downloads the latest DSMs.

  • Review any log sources that provide events through a central log server. Log sources that are provided from central log servers or management consoles might require that you manually create their log sources.

  • Verify whether the log source is officially supported. If your appliance is supported, manually create a log source for the events and add a log source extension.

  • If your appliance is not officially supported, create a universal DSM to identify and categorize your events.