Configuring Log Source Autodetection for Log Source types

Configure Log Source Autodetection for a log source type so that you don't need to manually create a log source for each instance. Log source autodetection configuration also helps to improve the accuracy of detecting devices that share a common format, and can improve pipeline performance by avoiding the creation of incorrectly detected devices.

Before you begin

In QRadar® V7.3.2, upgrades from previous versions enable global configuration settings, which are stored in the QRadar database. The global settings are initially set based on the contents of the TrafficAnalysisConfig.xml file in /opt/qradar/conf/ directory on the QRadar Console. If this file was customized before you upgrade to V7.3.2, the customizations are preserved. If different customizations exist on other managed hosts in the deployment, these customizations aren't carried over to the global settings. You can still enable per-event processor autodetection settings by using the configuration file method. Disable global autodetection settings in Admin > System & License Management > Edit Managed Host > Component Management.

About this task

When Log Source Autodetection is enabled, if you create a custom log source type that has many instances in your network, you don't need to manually create a log source for each instance.

You can also use the QRadar REST API or a command line script to enable and disable which log source types are autodetected. If you use a smaller number of log source types, you can configure which log sources are autodetected to improve the speed of detection.

If you choose to revert to the file-based (non-global) settings, you can only configure autodetection by using the config file. The DSM Editor and REST API work only with global settings. Move any custom autodetection configurations to global settings and to the DSM Editor.

Tune the autodetection engine so that log sources aren’t incorrectly identified as the wrong type. Incorrect detection happens when a DSM incorrectly recognizes events as its own even though they don't originate from the type of system that the DSM corresponds to. For example, if the events are formatted similarly to the events the DSM supports, or they contain the same keywords that the DSM is looking for. It can also happen even if a DSM exists for the system that is generating the events, if the events are so similar that the incorrect DSM is successful at parsing the events like the correct DSM. That DSM incorrectly recognizes the events as its own, and the autodetection engine creates a log source that isn't of the correct type.

For example, if you have both Linux® and AIX® systems in your QRadar deployment, and most of them are Linux. You can reduce the Minimum Successful Events for Autodetection parameter or the Minimum Successful Events for Autodetection for Linux. Alternatively, increase the Minimum Successful Events for Autodetection parameter or the Minimum Successful Events for Autodetection parameter for AIX.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the Data Sources section, click DSM Editor.
  3. Select a log source type or create a new one from the Select Log Source Type window.
  4. Click the Configuration tab, and then click Enable Log Source Autodetection.
  5. Configure the following parameters:
    Parameter Description
    Log Source Name Template

    Enter the template for setting the name of autodetected log sources.

    Two variables can be used:
    • $$DEVICE_TYPE$$ corresponds to the log source type name.
    • $$SOURCE_ADDRESS$$ corresponds to the source address the events originate from.
    Log Source Description Template

    Enter the template for setting the description of autodetected log sources.

    Two variables can be used:
    • $$DEVICE_TYPE$$ corresponds to the log source type name.
    • $$SOURCE_ADDRESS$$ corresponds to the source address the events originate from.
    Minimum Successful Events for Autodetection The minimum number of events from an unknown source that must be successfully parsed for autodetection to occur.
    Minimum Success Rate for Autodetection The minimum parsing success percentage for events from an unknown source for autodetection to occur.
    Attempted Parse Limit The maximum number of events from an unknown source to attempt before abandoning autodetection.
    Consecutive Failed Parse Limit The number of consecutive events from an unknown source to abandon autodetection.
  6. Click Save.