Hello, 

We are a Managed Security Services company trying to onboard a customer's Cisco ISE device onto QRadar 7.4.0 FP3.

- The logs are landing at the QRadar event collector.

- They are arriving as UDP multiline, which is what QRadar expects.

ISSUE: However, the DSM guide produced by IBM seems to deal with the older versions of QRadar, hence the log source settings are a little different. I need your guidance on onboarding it to QRadar 7.4.0 FP3.

Here are variations/differences/gaps from the DSM guide which we saw:

1. As seen in screenshot # 1 below, the field Source Name Formatting String is mandatory when you create the log source. However, that field wasn't present in the previous QRadar versions. What value should be put there?

2. As seen in screenshot # 2 below, when you enable Show Advanced Options, some more options show up. What should be enabled in the advanced settings?

3. As seen in screenshot # 3 below, we have selected the Protocol Type as UDP Multiline Syslog (instead of Syslog). Would the QRadar DSM automatically re-assemble the log messages coming over multiple packets? If we select the Protocol Type as Syslog, then the first message gets parsed but the remaining ones are not re-assembled. In any case, the recommended option in the DSM guide is UDP Multiline Syslog, which is not working.

I would appreciate some help on the same. Apart from the highlighted, the only difference is that we are sending it to a non-default port at the event collector (527 instead of 517).

Best,

Pukhraj