DSM Editor (part one)

DSM Editor is multi-task editor, which let you parse any event received by QRadar box.

QRadar supports more than 1000 Log Sources out of the box. It is possible because this type of SIEM software has installed a device support modules called DSMs, which let QRadar parse the logs. The most widely used software and devices have own modules. For example, QRadar has DSMs for products from companies like AWS Amazon, Apache HTTP Server, Arbor Networks, BlueCat Networks, Carbon Black, Check Point, Cisco, Citrix, CyberArk, Exabeam, F5 Networks, FireEye, McAfee, Microsoft, Splunk or Symantec. Each night, IBM provides updates for DSMs via the autoupdates process. QRadar accepts events from devices that produce events in the Common Event Format (CEF), the Log Event Extended Format (LEEF). Following the link below you can open DSM  Guide, which lists and describes all the officially supported DSMs. Please note that this guide got monthly updates.

Link to the latest version of DSM Guide

Dealing with not parsed events

In the DSM Guide, you can find types of third-party devices with their version supported. Each event from the logs produced by listed software or device should be properly converted to the readable form. If the currently available DSM is for a product, that is officially supported by QRadar, but the version is out-of-date, try the DSM to see whether it works first. The product versions that are in the guide are tested by IBM, but software updates by vendors might on rare occasions add or change event formats that break the DSM. If you notice, some not properly parsed events, you can open a ticket with support and it should be fixed. Before you do it, just check using the command below, does the latest one DSM install in your system. Compare the version present in the system with the one available to download from IBM repository called the FixCentral.

# rpm -qa | grep -i "name_of_the_device_seneding_logs"

You can configure log sources for custom applications and systems that have no supported DSM. In the past, you had to use Universal DSM with DSM extensions. Please find some extensions in zip package as an example following the link with dsm_extension_examples. Nowadays, rather than using a universal DSM (uDSM) with extensions, you can create a new log source type by using the DSM Editor. The result is the same, but working with DSM Editor is much quicker and effective than coding own extensions.

Accessing DSM Editor

There are three different methods of accessing DSM Editor. For the start, you can pick DSM Editor from Admin tab, Data Sources section.

The other way get editor open is from the Log Activity tab, the Actions menu. The third method, let us open DSM editor after pausing incoming events, selecting one or more of them, and clicking the right mouse button, in order to get side menu.

After accessing DSM Editor you can associate the incoming events as well as the extra content (custom properties, searches, rules, and so on) with just that log source type.

This is the end of the first part. Please find more detailed information on how to use DSM Editor in the second part of this article.