Log and Log Source Notifications for JSA Appliances
An Error Occurred When the Log Files Were Collected
38750141 - Collecting the
required support logs failed with errors. See System and License Manager.
Explanation
Errors were encountered while the log files were being collected. The log file collection failed.
User Response
To view information about why the collection failed, follow these steps:
Click System and License Manager in the notification message.
Expand System Support Activities Messages.
View additional information about why the log file collection failed.
Expensive DSM Extensions were Found
38750143 - Performance degradation
was detected in the event pipeline. Expensive DSM extensions were
found.
Explanation
A log source extension is an XML file that includes all of the regular expression patterns that are required to identify and categorize events from the event payload. Log source extensions might be referred to as device extensions in error logs and some system notifications.
During normal processing, log source extensions run in the event pipeline. The values are immediately available to the custom rules engine (CRE) and are stored on disk.
Improperly formed regular expressions (regex) can cause events to be routed directly to storage.
User Response
Select one of the following options:
Disable any DSM extension that was recently installed.
Review the payload of the notification to determine which expensive DSM extension in the pipeline affects performance. If possible, improve the regex statements that are associated with the device extension.
For example, the following payload reports that the pipeline is blocked by the Checkpoint DSM:
Oct 23 12:32:53 ::ffff:10.1.2.4 [ecs-ec] [Timer-57] com.q1labs.semsources.filters.normalize.DSMFilter: [WARN] [NOT:0080014100][10.1.2.4/- -][-/- -]Expensive Log Source or Log Source Extensions Based On Average Throughput in the last 60 seconds (most to least expensive) - Checkpoint=0.0eps, CatOS=86.0eps, Apache=2500.0eps, Endpointprotection=2905.0eps
Ensure that the log source extension is applied only to the correct log sources.
On the Admin tab, click System Configuration > Data Sources > Log Sources. Select each log source and click Edit to verify the log source details.
Order your log source parsers from the log sources with the most sent events to the least and disable unused parsers.
Verify that your Console is installed with the latest DSM versions.
If log sources are created for devices that aren’t in your environment, remove the log sources by using the following command:
/opt/qradar/bin/tatoggle.pl
If you have multiple event processors, copy the /opt/qradar/conf/TrafficAnalysisConfig.xml file to the /store/configservices/staging/globalconfig/ directory. On the Admin tab, click Deploy Full Configuration for all managed hosts to obtain the configuration file.
Log Files Were Successfully Collected
38750142 - The required
support logs have been successfully collected. See System and License
Manager.
Explanation
The log files were successfully collected.
User Response
To download the log file collection, follow these steps:
Click System and License Manager in the notification message.
Expand System Support Activities Messages.
Click Click here to download file.
Log Source Created in a Disabled State
38750071 - A Log Source has been created
in the disabled state due to license limits.
Explanation
Traffic analysis is a process that automatically discovers and creates log sources from events. If you are at your current log source license limit, the traffic analysis process might create the log source in the disabled state. Disabled log sources do not collect events and do not count in your log source limit.
User Response
Review the following options:
On the Admin tab, click the Log Sources icon and disable or delete low priority log sources. Disabled log sources do not count towards your log source license.
Ensure that deleted log sources do not automatically rediscover. You can disable the log source to prevent automatic discovery.
Ensure that you do not exceed your license limit when you add log sources in bulk.
If you require an expanded license to include more log sources, contact your sales representative.
Unable to Determine Associated Log Source
38750007 - Unable to automatically detect
the associated log source for IP address <IP address>. Unable to automatically detect the associated log source for IP
address.
Explanation
When events are sent from an undetected or unrecognized device, the traffic analysis component needs a minimum of 25 events to identify a log source.
If the log source is not identified after 1,000 events, the
system abandons the automatic discovery process and generates the
system notification. The system then categorizes the log source as SIM Generic and labels the events as Unknown
Event Log.
User Response
Review the following options:
Review the IP address in the system notification to identify the log source.
Review the Log Activity tab to determine the appliance type from the IP address in the notification message and then manually create a log source.
Ensure that the Log Source Identifier field matches the host name in the original payload syslog header. Verify that the events are appearing on the device by deploying the changes and searching on the manually created log source.
Review any log sources that forward events at a low rate. Log sources that have low event rates commonly cause this notification.
To properly parse events for your system, ensure that automatic update downloads the latest DSMs.
Review any log sources that provide events through a central log server. Log sources that are provided from central log servers or management consoles might require that you manually create their log sources.
Verify whether the log source is officially supported. If your appliance is supported, manually create a log source for the events and add a log source extension.
If your appliance is not officially supported, create a universal DSM to identify and categorize your events.