IBM Support

QRadar: XPath Query Troubleshooting

Troubleshooting


Problem

The following issues might cause XPath Queries in a QRadar log source to not follow the query as intended to retrieve Windows events.

Symptom

XPath query is causing WinCollect to stop logging events or XPath query fails to save in Log Source Configuration.

Cause

QRadar requires XPath query to follow a different Syntax and rules than what Microsoft Event Viewer
Custom View requires.

Environment

WinCollect log source configurations that leverage XPath queries.

Diagnosing The Problem

When an XPath query formatting issue exists in the log source, then the log source might not return results as expected. If the QRadar log source configuration contains end of line characters, then an upload issue might occur when attempting to save the log source or a F5 refresh error might be displayed.

Resolving The Problem

XPath query's when applied to QRadar for the moment some strict rules

  1. Administrators should remove unnecessary white space and extra carriage returns from the XPath query to remove end of line characters that can cause the log source to mis-interpret the query.

    For example:

    <QueryList><Query Id="0" Path="Security"><Select Path="Security">*</Select><Suppress Path="Security">(*[EventData[Data[@Name='TargetUserName'] and (Data='QRADAR_WINCOLLECT')]] and *[EventData[Data[@Name='Workstation'] and (Data='MySystem')]])</Suppress></Query></QueryList>


    This solution helps prevent issues as a result of cut and paste operations from Windows in to the log source configuration in QRadar. If there are end of line characters present in the log source configuration, administrators might see F5 refresh page errors in the user interface.
     
  2. Queries that use less than < or greater than > symbols as mathematical functions need to be converted to &lt or &gt. When you upload the XPath query to the log source, the &lt and &gt characters are displayed properly as < > in the query. For example:

    Incorrect: (EventID >= 560  and  EventID <= 572)
    Correct: (EventID &gt;= 560 and EventID &lt;= 572)

    If you need to make changes you will need to change the original XPath query and re-upload the XPath Query.
     
  3. Directory path statements in the XPath query need to be escaped. For example:

    Incorrect: (Data='C:\Program Files (x86)\My path to file\MyFile.exe')
    Correct: (Data='C:\\Program Files (x86)\\My path to file\\MyFile.exe')

     

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
23 February 2021

UID

swg21682357

Page Feedback