How To
Summary
How an Administrator can confirm the Property Autodetection Configuration status of a Log Source Type.
Objective
This article is to provide simple steps to confirm which Log Source Types have the 'Property Autodetection Configuration - Enable Property Configuration' flag Enabled.
Administrators can manually confirm the 'Property Autodetection Configuration - Enable Property Configuration' flag is Enabled, by following these steps.
- On the navigation menu (
), click Admin. - In Data Sources, Events section, click DSM Editor.
- On the Select Log Source Type window, highlight a Log Source Type, click Select.
- On the properties page for the selected Log Source Type, click the Configuration tab.
- Scroll down the page and confirm that the 'Property Autodetection Configuration - Enable Property Configuration' flag is Enabled.
On this same page, you can also see the 'Property Detection Format' type and if the 'Enable Properties for use in Rules, Forwarding Profiles and Search Indexing' flag is Enabled.
Results
Administrators can follow this process to check each Log Source Type, but the process would be very time consuming.
Environment
All QRadar versions.
Steps
Administrators can run a command against the QRadar database and retrieve the same results.
- Use SSH to log in to the QRadar Console as the root user.
- The following SQL command outputs a list of Log Source Types, which were previously modified.
psql -U qradar -c "SELECT property_discovery_profile.id, property_discovery_profile.optimized, property_discovery_profile.active, property_discovery_profile.property_discovery_type, property_discovery_profile.sensor_device_type, sensordevicetype.devicetypename FROM property_discovery_profile JOIN sensordevicetype ON property_discovery_profile.sensor_device_type = sensordevicetype.id;" -
The returned information looks something similar to the following table.
id | optimized | active | property_discovery_type | sensor_device_type | devicetypename ----+-----------+--------+-------------------------+--------------------+-------------------------- 1 | f | f | 1 | 211 | Websphere 3 | f | t | 1 | 353 | AhnLabPolicyCenter 4 | f | t | 1 | 321 | AkamaiKona 5 | f | t | 1 | 501 | AmazonAWSWAF 6 | f | t | 2 | 440 | AWSSecurityHub 7 | f | t | 3 | 507 | AmazonAWSRoute53 2 | t | f | 1 | 106 | Threecom8800SeriesSwitch (7 rows)ResultsBy default, Property Autodetection Configuration for a Log Source Type is disabled. So if a Log Source Type is not listed in the table the field 'Property Autodetection Configuration - Enable Property Autodetection' is set to Disabled.active = t, the 'Enable Property Autodetection' option is active for the Log Source Type.active = f, the 'Enable Property Autodetection' option is disabled for the Log Source Type.optimized = t, the option 'Enable Properties for use in Rules, Forwarding Profiles and Search Indexing' is active.optimized = f, the option 'Enable Properties for use in Rules, Forwarding Profiles and Search Indexing' is disabled.The table 'property_discovery_type' relates to the Property Detection Format.
1 = JSON
2 = CEF
3 = LEEF
5 = NAME VALUE PAIR
6 = XML
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtSAAQ","label":"DSM Editor"}],"ARM Case Number":"TS012774212","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
10 May 2023
UID
ibm16985643