Use the QRadar® Log Source Management app to add new
log sources to receive events from your network devices or appliances.
Before you begin
Download and install a device support module (DSM) that supports the
log source. A DSM is a software application that contains the event patterns that are required to
identify and parse events. The events are parsed from the original format of the event log to the
format that QRadar can use.
You can install a DSM from IBM® Fix Central
(https://www-945.ibm.com/support/fixcentral/). For more information, see the DSM Configuration Guide. You can also create a custom log source type without a DSM.
Procedure
-
In the QRadar Log Source Management app, click
+ New Log Source.
- Click Single Log
Source.
-
On the Select a Log Source Type page, select a log source type and click
Select Protocol Type.
-
On the Select a Protocol Type page, select a protocol and click
Configure Log Source Parameters.
- On the Configure the Log Source parameters page, configure the log
source parameters and click Configure Protocol Parameters.
- On the Configure the protocol parameters page, configure the
protocol-specific parameters.
- Optional: If the server certificates for the protocol are uploaded to the
centralized certificate store, select the certificate from the Server Certificate Store
Alias list.
If your log source requires a server certificate that is not uploaded to the centralized
certificate store, and you have System Administrator permission, you can
upload the certificate from the IBM
QRadar Certificate Management app.
- If the QRadar Certificate
Management app is
installed, in the Server Certificate Store Alias list, select
Upload new certificate. The Certificate Management app opens.
- If the QRadar Certificate
Management app is not
installed, in the Server Certificate Store Alias list, select
Download Certificate Management app to open the IBM Security
App Exchange and download the
app.
- Optional: If your configuration can be tested, the Test Protocol
Parameters option is listed in the Steps pane. When you test your configuration, you can
identify any errors with your protocol parameters. For more information, see Testing log sources. To test your
configuration, follow these steps:
- Click Test Protocol Parameters, and then click Start
Test.
- To fix any errors, click Configure Protocol
Parameters.
On the
Configure the protocol parameters
page, configure the protocol-specific parameters, then test your protocol again.
If your
configuration can be tested, but you don't want to test it, click Skip Test and
Finish.
- Click Finish.
Results
Your log source is listed on the Log Sources page.