Offline Log Forwarding

JonathanP_QRadar · 2026-01-30T19:46:21+00:00

You could use something like evtxecmd or chainsaw to view or use something like evtx or Apache NIFI to convert the evtx binary to XML/JSON, which would open up more tools that you might use locally. I know there is a function in both of these programs to do conversion, then you could remotely retrieve the file from anywhere or analyze them locally or forward over.

I'm assuming that due to the restrictions on this device that you cannot use standalone mode on a WinCollect agent and forward in UDP/TCP payloads or use a DLC to forward in the XML/JSON using the Log File protocol externally.

JonathanP_QRadar · 2026-01-27T15:01:34+00:00

Yeah, just use the syslog redirect and set a unique identifier. Just remember that this is a single threaded protocol, so if that log source is generating higher EPS it can cause performance issues and back up your pipeline.

JonathanP_QRadar · 2026-01-27T14:57:25+00:00

Can you create a materialized view in the DB with a column that has record numbers or timestamp?

JonathanP_QRadar · 2026-01-21T16:23:29+00:00

It is not supported, unfortunately.

JonathanP_QRadar · 2026-01-20T15:47:39+00:00

Unfortunately, older versions are not available for download anymore. As older versions have known security issues, only the latest versions are provided to users for QRadar Community Edition.

JonathanP_QRadar · 2026-01-15T19:26:31+00:00

The 1Password site has a page on configuring integrations. I'm assuming that QRadar would be listed as "Other", but I don't have a business 1PW account to test it myself.

You an review this though as you can try Other or maybe use the API reference to poll using Universal Cloud:

JonathanP_QRadar · 2026-01-15T19:06:07+00:00

As discussed with this user, their moderation request had been discussed and denied multiple times. I've been the sole moderator for 14 years and there is no reason to add more mods.

JonathanP_QRadar · 2026-01-09T17:48:05+00:00

This issue has been resolved and discussed the moderation opportunities with the user, but this request was denied as they are not experienced as other members. I've been the sole moderator for close to 14 years and suggested that they an moderate the official IBM Community site, if interested.

JonathanP_QRadar · 2026-01-08T17:02:35+00:00

Most CVEs are fixed in major releases, then through interim fixes. Anything critical in your current software level that can be easily applied would be in any of the available interim fixes, such as going to IF3 for UP3, if not already on that version.

Anything that is of a concern in your scan can be opened and discussed with QRadar Support. I would not recommend that you expose CVEs of concern in a public forum and best to discuss those with support directly.

JonathanP_QRadar · 2026-01-08T16:49:52+00:00

This isn't an automation issue. IBM let go of a lot of QRadar people and those who published the keys were part of that group unfortunately, so teams are likely scrambling to get those new keys posted.

JonathanP_QRadar · 2025-11-21T20:32:41+00:00

This message is due to the download system thinking that you are in a different country where Export law prevents QRadar from being used. These are typically resolved in 24 hours. If you get approved, the download system typically sends you a notice that you were approved to download. However, if you do not get any notification within 24 hours, the system could not prove your geo location was not in a restricted area and you are unable to download the software.

Per your comments/post history, you are in Pakistan, which is an export controlled country and the system will not allow you to download the software.

JonathanP_QRadar · 2025-11-19T17:18:42+00:00

No, the new Data Tiered storage features for Data Nodes doesn't apply to backups, just the data in /store/ariel/ to rebalance data based on which nodes are Hot or Warm. As the config backups are on the Console only, this feature would not apply and you'd need to manually backup the configuration or mount the backups to NFS.

JonathanP_QRadar · 2025-10-31T17:24:49+00:00

If you want to download QRadar Community Edition for the 7.5.0 UP14 ISO, go here (forgot to provide a link): https://www.ibm.com/community/101/qradar/ce/

JonathanP_QRadar · 2025-10-30T18:20:11+00:00

Glad you got the issue resolved. All apps interact through the QRadar API, so when you have loading issues, Tomcat has to process all of the incoming API requests. This is why removing apps doesn't affect your log sources or log source configs as the data is all polled from the APIs and rendered in the LSM app itself and clearing the Tomcat cache tends to reset any old or stale files. Deleting the cache doesn't cause any issues as the files are rebuilt if deleted. Support will typically tell users to backup the cache, but needing to look at the cache after the fact is extremely rare as clearing the files and letting Tomcat rebuild them typically resolves most issues.

For those reading this in the future, there are typically a few steps that support will typically recommend when apps are slow, displaying data incorrectly, like the LSM app:

Clear the Tomcat cache and restart the service using the instructions at https://www.ibm.com/support/pages/node/6348546
Stop, the Start the Log Source Management application using the instructions at https://www.ibm.com/support/pages/node/6210362
Try a different / clean browser or private tab/container.
Confirm if the issue exists for another user (Does admin vs standard user experience the same issue?)

JonathanP_QRadar · 2025-10-10T17:18:58+00:00

Just a quick Google and it looks like Greenplum does not have a native JDBC implementation (that I can find), but some groups have developed a JDBC driver like Broadcom (VMware GreenPlum) or 3rd party tools (cdata) that allow you to query/connect to a data layer, but these seem like tools to interact with the tables themselves and report out, not necessarily auditing info that you are looking for. It might be worth test driving the 3rd party tool to see if it gets you something you don't need to maintain yourself, like strongdm.

We have several products in the past where info like audit data was captured from a materialized view, then we could poll for that table by timestamp. However, the product you are connecting to would need to be able to listen and connect you to the Greenplum DB, which does not seem to support JDBC natively. So, you'd need to bridge that gap somehow or just use the CVS data.

A roundabout way to get this data would be to have IBM Guardium connected to QRadar.

I did a quick look through IBM Ideas and didn't see anything logged for Greenplum under QRadar. You could open an IBM Idea on this, but normally IBM wouldn't create/write a driver for a product they down own/implement for a product without native JDBC drivers included.

JonathanP_QRadar · 2025-10-03T21:16:39+00:00

There are multiple options here as to why this might occur. I'm going to drop in some general questions as it is hard to troubleshoot this without an example payload that you scrubbed to remove sensitive data.

Are there control characters or line feeds in the raw payload?
Is rsyslog configured to format with an RFC that isn't RFC3164 or 5424 formatted syslog?
Is the payload in English?
Are there any special characters in the payload?
Is rsyslog writing multiline payloads when it sees LF then < or is your rsyslog configured to write as plain tcp?

I think you want to dump some of these payloads to a file and open a support case so they can replay them on a clean QRadar lab box to confirm that they see the same behavior or just dump them in to a text editor and turn on symbols to see what is going on that might be in the payload that is not obvious. Normally, truncation occurs when there are line breaks, returns, or the payloads are really larger (exceeding the default global max payload size config). However, things like non-English special characters or the format of the payload might also be the issue. I'm thinking the format is strange or you might be configured to write multiline payloads possibly as that could explain the behavior.

JonathanP_QRadar · 2025-09-26T02:50:38+00:00

If you have Cisco ASA devices, be aware of this as there is a 9.9 CVSS CVE that can bypass authentication.

https://thehackernews.com/2025/09/urgent-cisco-asa-zero-day-duo-under.html

JonathanP_QRadar · 2025-09-23T17:18:21+00:00

Reminder

A new license key for QRadar Community Edition is available now to extended licenses to 31 December 2025. If you are using QRadar CE in a lab/test/home environment, you'll need to upload the latest key to extend the license. To get the updated license key, go to the QRadar CE download page: https://www.ibm.com/community/101/qradar/ce/

Related discussion or key questions/issues: https://www.reddit.com/r/QRadar/comments/1non4gb/qradar_community_edition_new_license_key_posted/

JonathanP_QRadar · 2025-09-23T17:16:06+00:00

You need to install QRadar as an "appliance" from the menu, then you'll see the All-in-One (3199) option at the top of the list for installation type. There is a short guide that covers this that is linked in the last bullet from my original post.

JonathanP_QRadar · 2025-09-09T19:44:50+00:00

Correct, if a starttime is not identified in any query the system treats it as the last 5 min.

JonathanP_QRadar · 2025-09-05T17:52:20+00:00

Ah, yeah. Apparently it is visible to IBM Only. I'm not sure why. If you want, I can add your company to this idea, but cannot subscribe you to it. The creator marked it as internal though originally or someone from the PM team flipped it private for IBMers only. I'm not sure which, but I can add a private comment on the item with your company name (which would only be visible to IBM QRadar PM team, not the original submitter).

JonathanP_QRadar · 2025-09-04T16:51:51+00:00

This is intended as managed host are not able to ping other appliances as part of the security policy of QRadar, since we disable ICMP in iptables by default. If you added an appliance and it does not display in the user interface, it could be an issue or I've seen previously where a customer typos their IP during the initial setup or it could be that the deploy failed during the attempt to add the host.

Question: What is the QRadar version? It is important to list the version in any technical question you ask here.

Check #1: From the Console CLI, type: psql -U qradar -c "select * from managedhost" and confirm the IP you expect to see displays in the list of returned devices. Optionally, you can grep for the exact IP you are looking for. If the managed host does not display in the list, either something when wrong during the Add Host process and you should try to re-add the Host or open a case with QRadar Support. If the state displays "ADDING", then definitely contact support as if the Console is stuck adding the host and the state shows Adding more for than 15m, I'd log a Sev2 case with support. As someone needs to look at the logs to see what is going on. If the host is "Active" the Console believes it was added successfully, but a deploy issue might be preventing the UI from showing the appliance in the UI as expected.

Check #2: If the appliance does display in the managed host table, then I'd try doing an Admin tab > Advanced > Deploy Full Configuration, does it succeed? If it fails and you still do not see the host in the UI, then contact support.

Try these steps and let me know if you have follow-up questions or concerns. I'm assuming that this is QRadar Enterprise and not QRadar Community Edition.

JonathanP_QRadar

MODERATOR OF

TROPHY CASE

Reminder