Hi,
if you add logsources manually to QRadar, you simply have to change log source parse ordering in admin tab. Dont rely on automatic detection as long as you dont know how to achieve that. If you got hundreds of Arubas to manage, you may think of alternatives like connecting an Aruba management component. Use DSMedit for unsupported devices. In most cases IBM support will be able to help you. Pls see link below for supported Aruba devices
https://www.ibm.com/docs/en/dsm?topic=configuration-aruba-networks------------------------------
karl jaeger
------------------------------
Original Message:
Sent: Jan 22, 2016 01:45 PM
From: Jay La Valle
Subject: Aruba Networks in IBM Qradar
I can't answer why, but have dealt with this before with 2 different SIEMs. I had to contact those vendors to get a fix. Something different about the format of the logs.