TTechclick ⚡ XP 0% All lessons
IBM · SIEM · Log Sources and DSMsInteractive · L1 / L2 / L3

IBM QRadar Log Sources and DSMs — Parsing, Auto-Discovery and the DSM Editor

Every alert QRadar generates starts with a log source. This lesson maps the full journey: how QRadar discovers devices, which DSM transforms raw syslog into structured events, when the Universal DSM saves you, and how the DSM Editor lets you write custom parsing rules — so no device is ever invisible to your SIEM.

📅 2026-06-20 · ⏱ 17 min · 5 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master IBM QRadar log source management and DSMs in 2026: auto-discovery, Universal DSM, DSM Editor, event parsing, coalescing, and log source extensions explained with real scenarios.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Log sources 101

What they are, auto-discovery, manual add.

 2

DSM deep dive

How DSMs parse, normalise, and coalesce events.

 3

Universal DSM and Editor

Fallback parsing and custom DSM authoring.

 4

Extensions and ops

Log source extensions, tuning, and troubleshooting.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What turns raw syslog into a structured QRadar event?

Answered in Log sources 101.

2. What happens when QRadar receives traffic from an unknown device?

Answered in Universal DSM and Editor.

3. How do you add new parsing fields to a DSM without replacing it?

Answered in Extensions and ops.

Most analysts think…

Most people assume 'if the device is sending syslog to QRadar, it must be working'. That is only half the picture.

The other half is the Device Support Module (DSM): the parser that turns raw log text into QRadar's normalised event taxonomy. Without the right DSM, QRadar stores events as unparsed strings — offenses never fire and reports show nothing useful. Understanding how log sources are discovered, how DSMs parse and coalesce, and when to reach for the Universal DSM or DSM Editor is what separates an analyst who can onboard any device from one who is permanently waiting for an IBM content update.

① Log sources — what they are and how QRadar finds them

A log source in QRadar is any device, application, or cloud service that sends events into QRadar — firewalls, Windows servers, Linux hosts, cloud-trail feeds, IDS appliances, databases. Each log source has a log source type (e.g. Cisco ASA, Microsoft Windows Security Event Log) that tells QRadar which DSM to use for parsing.

QRadar discovers log sources in two ways. Auto-discovery fires when traffic arrives on the Event Collector from a previously unseen IP or identifier — QRadar creates a draft log source and assigns the best-match DSM automatically. Manual addition via Admin > Log Source Management lets you pre-configure sources before traffic arrives, choose the exact protocol (syslog, JDBC, SFTP, REST API, Windows event collection) and tune how events are labelled and grouped.

Log source coalescing kicks in when many similar events arrive in a short window — QRadar merges them into a single event with an event count, preventing event-count storms from flooding the console. The coalescing window and threshold are tunable per log source.

Figure 1 — Log source onboarding — discovery to active
How QRadar takes an unknown device from first packet to a fully parsed, categorised log source.Log source onboarding — discovery to activeTraffic arrivessyslog/API/JDBCAuto-discovermatch IP to sourceAssign DSMvendor-type lookupParse and mapfields + HLC/LLCActive sourcerules fire, offensesup
How QRadar takes an unknown device from first packet to a fully parsed, categorised log source.
Figure 2 — Log source ingest protocols
QRadar supports push and pull protocols; the right choice depends on device type and topology.Log source ingest protocolsSyslog (UDP/TCP/TLS)Firewalls, Linux, network devices — push modelWindows Event CollectionWindows Security Events — agent or agentlessJDBC / ODBCDatabase log tables — pull on a scheduleREST API / CloudAWS, Azure, Office 365 trails — API pull
QRadar supports push and pull protocols; the right choice depends on device type and topology.
Quick check · Q1 of 10 · Understand

QRadar event coalescing is primarily designed to…

Correct: b. Coalescing merges many near-identical events (same source IP, event ID, destination) in a short time window into one event record with an event count. This prevents EPS storms from flooding Log Activity and the rules engine. It is configurable per log source.
👉 So far: A log source is any device sending events to QRadar. QRadar discovers them automatically or via manual add; coalescing merges repeated events to prevent EPS storms.

② DSMs — how Device Support Modules parse and normalise events

A Device Support Module (DSM) is QRadar's parser for a specific vendor and product. It contains regex patterns, field mappings, and event-category mappings that transform raw log text (syslog, Windows event XML, JSON, CEF) into QRadar's normalised taxonomy: source IP, destination IP, username, event ID, event category, and the High Level Category / Low Level Category (HLC/LLC) pair that determines which rules fire.

DSM content packs and updates

IBM ships DSMs through the DSM Content Packs available on IBM Fix Central and through the App Framework marketplace on newer versions. Keeping DSMs current matters because vendors change log formats — an out-of-date DSM silently produces events with category Unknown rather than raising an error. The Log Activity tab in QRadar shows the real-time parse status: look for Unknown or Stored event categories, which signal that the DSM is not matching the incoming format.

Figure 3 — One DSM per device type — central parsing hub
Each device type gets one DSM. Every log source of that type uses the same regex and field mappings.One DSM per device type — central parsing hubDSM ParserRegex + field mapsCisco ASAWindows Sec EventsPalo Alto NetworksLinux auth syslogAWS CloudTrailCustom / Universal
Each device type gets one DSM. Every log source of that type uses the same regex and field mappings.
📡
Log Source
tap to flip

Any device or service sending events to QRadar. Defined by type, protocol, and DSM. Auto-discovered from incoming traffic or manually added in Admin > Log Source Management.

🔍
Device Support Module
tap to flip

The parser for a specific vendor product. Contains regex, field mappings, and HLC/LLC category assignments that turn raw log text into structured QRadar events.

🌐
Universal DSM
tap to flip

QRadar's fallback parser for unrecognised devices. Extracts best-effort fields but leaves event categories as Unknown — a signal to build a proper DSM.

✏️
Log Source Extension
tap to flip

An XML overlay on top of an existing IBM DSM that adds missing field extractions. IBM content pack updates still apply to the base DSM; the extension persists on top.

Always check HLC/LLC in Log Activity first

Before blaming the rule engine for a missing offense, filter Log Activity by the relevant log source and check the event category column. If you see Unknown / Unknown, the DSM is not parsing correctly — no rule will fire no matter how well it is written. Fix the DSM first, then re-test the rule.

Quick check · Q2 of 10 · Remember

Which QRadar taxonomy pair does a DSM assign to every parsed event to determine which rules fire?

Correct: c. The HLC/LLC pair is QRadar's normalised event category taxonomy. Rules are written against HLC/LLC values. If a DSM assigns Unknown/Unknown, no category-specific rule will fire regardless of how well the rule is written.
👉 So far: A DSM parses raw log text and assigns QRadar fields plus HLC/LLC category. Events showing Unknown category mean the DSM is not matching — fix the DSM before debugging the rule.

③ Universal DSM and the DSM Editor — parsing without a vendor DSM

When no vendor-specific DSM matches an incoming log source, QRadar falls back to the Universal DSM. It extracts a best-effort set of fields (source IP, destination IP, payload) but leaves the event category as Unknown. This keeps events visible in QRadar without dropping them, but offenses that depend on specific categories will not fire. The Universal DSM is your signal that you need a proper parser.

The DSM Editor (Admin > DSM Editor) is QRadar's built-in parser authoring tool. You load sample log lines, write regex capture groups that bind to QRadar fields, map the output to an event category, and test the mapping live before saving. Once published, the custom DSM replaces the Universal DSM for that log source type. Key concepts in the Editor: expression sets (ordered regex rules tried top-to-bottom), property mappings (QRadar field to capture group), and event ID mapping (the string QRadar uses to name the event in Log Activity).

A log source extension is different from a full custom DSM: it is an XML overlay added on top of an existing DSM that extracts additional fields the base DSM misses. Use extensions when the vendor DSM exists but omits fields you need for a specific rule — you keep automatic IBM updates and layer your extra parsing on top.

Figure 4 — Full custom DSM vs log source extension
Choose the right tool: a full DSM replaces parsing entirely; an extension layers extra fields on an existing DSM.Full custom DSM vs log source extensionFull Custom DSMBuilt in DSM EditorReplaces Universal DSMYou own all regex rulesUse when no IBM DSM existsIBM updates are separateLog Source ExtensionXML overlay on IBM DSMKeeps IBM base intactAdds missing fields onlySafe on IBM DSM updatesUse when base DSM exists
Choose the right tool: a full DSM replaces parsing entirely; an extension layers extra fields on an existing DSM.
Modifying the IBM base DSM directly in DSM Editor

A common mistake is editing the IBM-shipped DSM directly to add a missing field. When IBM releases a DSM content pack update, your changes are overwritten silently. Use a log source extension for adding fields to an existing DSM — the base DSM can be safely updated while your extension persists on top.

▶ Watch a custom device event get parsed end-to-end

An IoT sensor sends syslog; QRadar discovers it and falls back to Universal DSM. A new custom DSM is published and the same event becomes a fully categorised, offense-eligible record. Press Play, then Break it.

① Syslog arrivesThe IoT sensor sends a UDP syslog packet to the QRadar Event Collector on port 514.
② Auto-discoverQRadar sees a new source IP with no matching log source — it creates a draft log source and assigns the Universal DSM. Events appear in Log Activity as category Unknown.
③ DSM EditorThe analyst loads a sample event, writes a regex expression set, maps fields to QRadar properties (username, action, src IP), sets HLC = Access / LLC = Authentication Success, and publishes.
④ Parsed eventThe new DSM takes effect — re-ingested events now carry the correct HLC/LLC. The access-anomaly rule fires on the next suspicious login and raises an offense.
Press Play to step through the full log-source-to-parsed-event flow. Then press Break it.
Quick check · Q3 of 10 · Apply

A new IoT sensor sends syslog to QRadar but its events show category 'Unknown' in Log Activity. What is the correct next step?

Correct: a. Unknown category means the Universal DSM is in use and cannot map the log format. The fix is to build a custom DSM in the DSM Editor: load sample lines, write regex capture groups, map QRadar properties, set HLC/LLC, and publish.
👉 So far: Universal DSM is the fallback for unrecognised devices. DSM Editor builds custom parsers from scratch. Log source extensions add fields to an existing DSM without touching the IBM base.

④ Operational practice — managing, tuning, and troubleshooting log sources

The Log Source Management app (Admin > Log Source Management, or the dedicated Log Source Management App on QRadar 7.4+) is where you see all log sources, their status (active, disconnected, error), last event time, events-per-second (EPS), and which DSM version is in use. A log source showing Last Event far in the past or status Error is the first indicator of a collection gap.

Common tuning tasks

When a log source generates too many nearly-identical events (e.g. a firewall denying the same scan every second), increase the coalescing threshold so events are merged before reaching the rules engine. When a device logs in a non-standard format, update or clone the DSM using the DSM Editor rather than raising a support case. For log sources that rotate IP addresses (virtual IPs, NAT sources), pin them by device identifier or name rather than source IP to prevent duplicate log source creation. Always check the Event Collector logs (Admin > System and License Management > System Log) when events stop — protocol errors, authentication failures, and syslog port conflicts all surface there first.

Figure 5 — Troubleshooting a silent log source
Step-by-step path from no events appearing to root cause identified and fixed.Troubleshooting a silent log sourceCheck last eventLog Src Mgmt appCheck collectorprotocol/port/authCheck DSM parseLog Activity filterFix or extend DSMDSM Editor/extensionVerify and monitorEPS healthy, parsed
Step-by-step path from no events appearing to root cause identified and fixed.

Priya at a Mumbai financial services firm faces this

After onboarding a new next-generation firewall, the QRadar offense for repeated firewall denies from an internal host never fires — but the firewall is sending syslog and Log Activity shows thousands of events per minute.

Likely cause

The firewall vendor recently changed its syslog format. The DSM is assigning every event to HLC = Unknown / Unknown instead of Firewall / Deny. Rules that test for HLC = Firewall never match.

Diagnosis

Open Log Activity, filter by this log source, and inspect the event category column — all events show Unknown. Check the DSM version under Admin > Log Source Management.

Admin > Log Source Management > DSM column + Log Activity > Event Category filter
Fix

Download the latest DSM content pack for the vendor from IBM Fix Central and install it. If no update exists, open the DSM Editor, load a sample event in the new format, update the expression set to match the changed field positions, and republish the DSM.

Verify

Re-check Log Activity after the DSM update: events now show HLC = Firewall / Deny. Run a controlled test by triggering repeated deny events — the offense fires within the rule window.

Three checks before closing a log source ticket

A log source marked Active does not guarantee events are parsed correctly. Always verify: (1) Last Event time is recent, (2) EPS is in the expected range, (3) a sample event in Log Activity shows the correct HLC/LLC, not Unknown. Three green checks, then close the ticket.

Quick check · Q4 of 10 · Analyze

A firewall log source shows Last Event time as 6 hours ago. What should you check first?

Correct: d. The Event Collector logs (Admin > System and License Management > System Log) surface protocol errors, authentication failures, and port conflicts — the most common causes of a silent log source. Always check there before touching the log source configuration.
👉 So far: For a silent log source: check Last Event time, check Event Collector logs for protocol errors, check Log Activity for Unknown categories, then fix the DSM or protocol config before touching rules.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What QRadar component contains regex patterns, field mappings, and HLC/LLC assignments for a specific vendor device?

Correct: c. The DSM (Device Support Module) is the per-vendor parser. It maps raw log text to QRadar's normalised taxonomy including the HLC/LLC pair that determines which rules fire.
Q6 · Understand

An event in QRadar Log Activity shows High Level Category = 'Unknown'. The most likely cause is…

Correct: b. HLC = Unknown means the DSM found no matching regex expression and could not assign a category. The ingest layer is working fine — the DSM parser is the problem.
Q7 · Apply

You need to extract a custom vendor-specific field from a firewall that already has an IBM-shipped DSM. The correct approach is to…

Correct: a. A log source extension layers extra field extractions on top of the IBM base DSM without replacing it. IBM content pack updates continue to apply to the base DSM, and the extension persists on top. Replacing the DSM entirely means losing IBM maintenance updates.
Q8 · Analyze

A Windows Server log source has been auto-discovered three times under different names. The most likely root cause is…

Correct: d. Auto-discovery keys on source IP by default. If the server IP changes (DHCP, NAT, or failover), each distinct IP creates a new draft log source. Fix by pinning the log source to a stable device identifier such as the hostname in the syslog header.
Q9 · Evaluate

Which of the following best describes the primary benefit of QRadar event coalescing?

Correct: c. Coalescing reduces EPS noise by merging many near-identical events (same source IP, event ID, destination) arriving in a short window into one event record with an event count. This prevents the rules engine and Log Activity from being flooded with repetitive events.
Q10 · Evaluate

An analyst wants IBM DSM content pack updates to keep applying AND needs a custom field extraction for a specific rule. The right architecture is…

Correct: b. A log source extension overlays extra field extractions on the IBM base DSM so IBM updates still apply to the base while the extension persists. This is safer and lower-maintenance than replacing the IBM DSM or patching XML manually.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does a correctly-arriving syslog event still produce no offense in QRadar? Then compare with the expert version.

Expert version: Because collection and parsing are two separate stages. Syslog arriving at the Event Collector only means the protocol layer is working — the DSM must then match the log format and assign the correct HLC/LLC category. If the DSM expression sets do not match (wrong format, outdated DSM after a vendor update), every event is categorised as Unknown and no rule that tests for a specific HLC fires, so no offense is created even though Log Activity shows thousands of events per minute.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Log Source
Any device or application configured to send events to QRadar — defined by protocol, source identifier, and the DSM assigned to parse its events.
Device Support Module (DSM)
The per-vendor parser in QRadar: regex expression sets, field mappings, and HLC/LLC category assignments that transform raw log text into structured events.
HLC / LLC
High Level Category and Low Level Category — QRadar's event taxonomy that determines which rules fire and how offenses are named.
Universal DSM
QRadar's fallback parser for unrecognised devices. Extracts best-effort fields but leaves event category as Unknown — the signal to build a proper DSM.
DSM Editor
The built-in QRadar tool (Admin > DSM Editor) for authoring custom parsing expression sets, field mappings, and category assignments for any log format.
Log Source Extension
An XML overlay added to an existing DSM that extracts additional fields without modifying the base parser — safe to keep when IBM ships DSM updates.
Event Coalescing
QRadar feature that merges multiple near-identical events within a short time window into one event record with an event count, preventing EPS storms.
Auto-Discovery
QRadar automatically creates a draft log source when traffic arrives from an unrecognised IP or identifier and assigns the best-match DSM.

📚 Sources

  1. IBM — QRadar SIEM Log Source Management documentation. ibm.com/docs/en/qsip
  2. IBM — QRadar DSM Configuration Guide — Device Support Modules, parsing and HLC/LLC categories. ibm.com/docs/en/qradar-on-cloud
  3. IBM — QRadar DSM Editor: building and testing custom DSMs. ibm.com/docs/en/qradar-common
  4. IBM — Log Source Extensions in IBM QRadar SIEM. ibm.com/docs/en/qsip
  5. IBM — Universal DSM: parsing events from unsupported log sources. ibm.com/support/pages/qradar
  6. IBM Fix Central — QRadar DSM Content Packs (current versions). ibm.com/support/fixcentral

What's next?

Confident with log sources and DSMs? Next, go deep on QRadar rules and building correlated offenses — how the AQL-backed rule engine turns individual events into actionable security incidents.

Next · All interview lessons → Practice on exam.techclick.in →