Topic
  • 7 replies
  • Latest Post - ‏2012-09-10T16:03:06Z by SystemAdmin
SystemAdmin
SystemAdmin
797 Posts

Pinned topic Multiple JDBC log sources on a single database/DSM

‏2011-11-14T14:07:56Z |
I am trying to configure a new log source to connect to a SQL Server database table on a SQL Server database where I already have another log source defined on a different table. It appears QRadar will not allow you to reuse the log source identifier. Here is what I have:

1 existing log source:
- Universal DSM
- JDBC
- Log Source Identifier "database@192.168.1.1"
- Database Name: database
- Host Name: 192.168.1.1
- Table Name: Audit

1 new log source I am trying to add but can't:
- Universal DSM
- JDBC
- Log Source Identifier "database@192.168.1.1"
- Database Name: database
- Host Name: 192.168.1.1
- Table Name: ServiceException

When I attempt to save the new log source the "Add a Log Source" screen says "A log source of this log source type already exists for the specified Log Source Identifier".

How can I work around this. I need to capture new rows from two different tables within the same database.

Thanks
-------Posted BY Nathan Reid
  • SystemAdmin
    SystemAdmin
    797 Posts

    Re: It's your Log Source Type/Protocol

    ‏2011-11-14T16:16:14Z  
    The only way to have two log sources with the same Log Source Identifier is to have them user a different DSM (Log Source Type). Both of your log sources use the Universal DSM.

    However, Since you are using the Universal DSM. I would assume that it should pick up just about anything that comes from that host so if you are sending the logs for both databases then it should be getting them.

    Why kind of SQL server are you running? I know that there is a DSM for parsing Microsoft SQL server logs. Nothing for mySql specifically though.
    Posted By Ty
  • SystemAdmin
    SystemAdmin
    797 Posts

    Re: I want to use to collect rows

    ‏2011-11-14T17:24:03Z  
    I want to use to collect rows from two different database tables within the same database. I do not want to collect logs from the SQL Server itself. It is SQL Server 2008 R2 Enterprise.
    Posted By Nathan Reid
  • SystemAdmin
    SystemAdmin
    797 Posts

    Re: Q1 support got back to me and

    ‏2011-11-14T18:00:35Z  
    Q1 support got back to me and said if you define the log source identifier as table name | database@hostname it works. I tried that and everything is working now.
    Posted By Nathan Reid
  • SystemAdmin
    SystemAdmin
    797 Posts

    Re: Logfile / SFTP

    ‏2011-12-09T12:09:35Z  
    Hi I have the same problem, just not regarding JDBC but using the Log File combined with sftp.

    I have a setup where I have 4 Luna SA servers where I have a script on the QRadar box that connect to the LUNA servers and fetch some raw logs file.

    I then need to be able to have QRadar to read these logs and parse then with different uDSM depending on what log file we are talking about.

    How would I get this to work?

    Thanks


    Posted By Hendrik Johns
  • SystemAdmin
    SystemAdmin
    797 Posts

    Re: You might be able to add some

    ‏2011-12-12T21:04:21Z  
    You might be able to add some c-name DNS records so the log source identifiers are unique for each log source. It's a work-around at best and I've never tried it.
    Posted By Brad Judy
  • SystemAdmin
    SystemAdmin
    797 Posts

    Re: Is there any official

    ‏2012-09-10T14:21:28Z  
    Is there any official solution for the issue with multiple Universal DSMs?
    There are have several business applications (JDBC, SMB Tail protocols) we need to support running on the same host...
    Posted By Nikolaenya Dmitry
  • SystemAdmin
    SystemAdmin
    797 Posts

    Re: As long as the log source

    ‏2012-09-10T16:03:06Z  
    As long as the log source identifiers are different, you should to be good to go. In the two uDSM types you just listed, the JDBC log source identifier is DATABASE@HOSTNAME while SMB Tail will be the netBIOS name of the machine.

    Many of the protocols, I have found the log source identifier to be arbitrary. So if you have two Log File uDSMs, you can call them "Log File 1" and "Log File 2", and it works just fine. I haven't used all the protocols, but if it's a polling protocol (where QRadar reaches out and gets the logs), then I would try arbitrary log file identifiers first.
    Posted By Xavier Ashe