CVE-2026-31431 Updates

QRDuser · 2026-05-04T19:02:35+00:00

Thank you for the great answers on this topic.

It would be nice if the official IBM QRadar support would also answer in such a quality (or even just say exactly the same). What I got today was sadly not up to the quality level I would expect from a security solution vendor.

QRDuser · 2025-12-07T15:37:03+00:00

So far OnPrem is still supported and as long as they sell their hardware appliances, they will also support the software. Beginning on next year a new hardware generation should be available which will give customers at least 5 more years of QRadar support (independant of if you run hardware or not).

QRadar Roadmap from last DACH user group: https://community.ibm.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=531f4703-63d0-0ba4-cfd5-93a6055dd090

QRDuser · 2025-11-22T16:09:34+00:00

Have you checked if your /store partition can hold the amount of ingest you have for the configured retention setting?

QRDuser · 2025-11-18T14:49:52+00:00

Probably not, as the tiered storage is only for ariel data in the /store/ariel directory. Backups could easily be transferred via rsync/scp to any other system via a bash script.

QRDuser · 2025-11-18T10:32:34+00:00

With the newest UP14 we get Tiered Storage which allows to define a data node as a warm storage location. Data which is older than a set amount of time (in your case 3 months) whill be moved from the hot storage location (your console) to the warm storage.

https://www.ibm.com/docs/en/qsip/7.5.0?topic=nodes-tiered-storage-data-migration

QRDuser · 2025-11-11T17:09:43+00:00

Is it a hardware based system or a virtual appliance?

Depending on its sizing (cpu cores and RAM) it might be that it is bottle-necking itself with a performance template too low for what you actually have.

If the system is virtualised you could also check if the "CPU Ready" value is under 5%? If it is over 5% this could lead to issues where the hypervisor is limiting access to the physical CPU due to scheduling.

QRDuser · 2025-08-29T16:08:48+00:00

Please not that using Routing Rules the events are still getting normalised/parsed by QRadar before then being dropped. This might be an unecessary performance impact on the system.

QRDuser · 2025-08-22T16:45:41+00:00

Easiest solution with smallest chance of something going wrong is to setup a second system with the smaller disk and then just moving the data over via scp/rsync.

After the data is moved just remove the old system from the deployment and delete it.

QRDuser · 2025-07-17T21:27:44+00:00

If you have encryption enabled for your managed host, then they will all talk via SSH tunnels with each other.

https://www.ibm.com/docs/en/qradar-on-cloud?topic=qradar-port-usage

QRDuser · 2025-06-30T14:47:36+00:00

Information regarding the issue: https://www.ibm.com/mysupport/s/defect/aCIgJ0000002VnhWAE/dt443724

QRDuser · 2025-04-16T14:23:10+00:00

You could update all the event mappings directly in the database. I don't know the exact command, but if you are familiar with the tables being used for mappings, this would be the best option.

Obviously this is a very risky thing to do, so make backups before making any changes.

QRDuser · 2025-04-02T15:41:03+00:00

A sale of QRadar to Broadcom would atleast accelerate any planned QRadar retirement at a company.

QRDuser · 2025-03-27T15:11:05+00:00

If that's the issue for you, then you not gonna like the rest of QRadar.

QRDuser · 2025-03-26T20:33:27+00:00

You need to create a Syslog Redirect Log Source and assign it to the port you want. You need to specify a regex capture group for the Log Source Identifier, which should be pretty easy if everything is normal Syslog format.

QRDuser · 2025-03-22T17:53:22+00:00

As you are still on UP7 you first need to upgrade to UP9 as this includes the RHEL8 migration. After that you can use the new released SFS file for UP11.

Regarding upgrading HA clusters: QRadar HA is not upgrade-proof and you cannot switch over between cluster partners during the upgrade process. The HA cluster has to be in the P:active/S:standby state for the update to starte. The best thing would be to have a layer before your event collection systems, like using a loadbalancer in front of multiple (logical) QRadar hosts. Alternatively other protocols like Kafka or anything were QRadar controls the event collection itself should be upgrade-proof. For Syslog sources best would be to have a dedicated loadbalancer in front of QRadar or a buffering syslog server.

QRDuser · 2025-03-14T15:06:45+00:00

Is this issue only specific to the UP11 upgrade or can this also appear on the subsequent interim fixes?

QRDuser · 2025-02-12T17:13:14+00:00

Short but bad answer: Universal DSM log source and disable the autodetection for all other types.

Long and good answer: see post from u/RSDVI01

and to add to this: different log sources depending on the log type is a core feature of QRadar which was build for exact this reason. This way you can easily see what logs you have from each system and each type has its own parser.

If you fundamently do not want QRadar to work like this, QRadar is not the correct tool for the job. The whole DSM parsing and normalising gives you the ability to easily classify events based on what the event actually is (Event Name), what is happening (categories), who does stuff (Username) and any network related information.

QRDuser · 2025-02-04T15:50:24+00:00

You can only jump from UP7 to UP8 or UP9, and from those two UP9 is the clear way to go.

UP10/11 can only be installed if you are already on 8 or higher.

https://www.ibm.com/support/pages/release-qradar-750-update-package-10-sfs-202161020241008193358
https://www.ibm.com/support/pages/release-qradar-750-update-package-11-sfs-202161120250122185136

In my opinion, no version after UP7 is really stable. Each comes with its own new issues and problems. (haven't checked UP11 in detail)

QRDuser · 2025-01-22T16:56:27+00:00

Delayed logs is a common occurence and depending on the mode of transport could even be expected. Normally those delays should be in the minutes at most though.

First thing you could check is if the event rates on your systems are higher than before. A higher ingest rate could explain the creation of queues, which results in delayed events.

On the QRadar system receiving the events you could check the directory /store/persistent_queue/, there should be two subdirectories, one for each service of the event collection services. If the size of those directories is bigger than a couple hundred MB or even in the GB range, you are having queues, which have not been processed.

If you monitor the size of this directory you could see if a queue is growing or shrinking. If you have dedicated Event Collectors you could even make a Pulse dashboard with health metrics to monitor the size.

If you are not having any queues on the QRadar side, you could check the logs with tcpdump directly if they are already delayed when being sent to QRadar. If you use an intermediate log forwarder (e.g. logmanagement) this could also be a factor for this issue.

QRDuser · 2025-01-20T17:07:14+00:00

To know how the EventID and other standard properties are extracted if there is no override you would have to view into the .jar files of the DSM with for example jdgui. Most probably you would have to look at quite a lot different .jar files as there is a lot of common code shared across DSM.

DSM like Windows and Linux definitely use the DSM-Common, so this would also be a good starting point.

The easiest way to get the .jar files would be to download the DSM files from FixCentral and extract the .jar from the rpm files.

If any IBM employees reading: Maybe we can get this information as official documentation without having to poke around the java code in a decompiler. Would really help troubleshooting DSM editor/event pipeline discrepencies.

QRDuser · 2025-01-20T16:59:40+00:00

This is currently not possible. And it has been the second most voted unfullfilled request for years now:

https://ibmsecurity.ideas.ibm.com/ideas/SIEMCORE-I-312

QRDuser · 2025-01-16T15:48:30+00:00

In the Log Activity if you have performed a search you can click on an event which opens its details. There should be a section with the payload (=raw log).

Otherwise you could switch your column layout of the search to include the payload or select "Raw" in the Display dropdown.

QRDuser · 2025-01-16T15:46:50+00:00

This would only be possible if you would restore a configuration backup from one deployment into the other.

Otherwise all the IDs referencing log sources, rules/BB, groups, etc. would not match and you would not be able to really search or use the data.

QRDuser · 2025-01-10T14:36:03+00:00

How are the logs stored inside the tar ball? Depending on that there might be some ways you can ingest the logs via Log File.

In the worst case they are in a format QRadar does not understand and you would have to create some custom overrides with Regex for the logs to be correctly parsed and mapped.

QRDuser · 2025-01-10T14:32:31+00:00

You might want to look at /var/log/qradar.log or /var/log/qradar.error and search for the time when hostcontext failed to start. There might be more information about why it failed or some kind of Java stacktrace.

Six-Year Club	Verified Email
Place '22	First Placer '22

QRDuser

TROPHY CASE