Assume my log source extension has 4001 as hard-coded value as devicetypeId. If any app installed on the same machine is already using 4001, my extension automatically gets a different ID like 4002 while installing. This creates a problem for custom property extractions and event mapping. Because my custom properties are written on devicetypeid 4001 in my XML file, they stop working. If we manually change the XML file to use 4003 as devicetypeid, it works. But I do not think we expect QRadar users to do this manually every time there is a conflict between apps. How do we solve this problem?
Asked
Active
Viewed 80 times
