Use the Disconnected Log
Collector computer
or VM to create a configuration file that you copy to your Disconnected Log
Collector computer or VM. You can use this
method only if you are connected to the internet. Transferring the log source configuration ensures
that you can use the QRadar Log Source
Management app to
configure the protocols that Disconnected Log
Collector
collects.
Procedure
- Log in to the Disconnected Log
Collector
computer or VM as the root user.
- Generate an import configuration file by running the following command:
/opt/ibm/si/services/dlc/current/script/importLogSourceConfig.sh -h <QRadar_IP_address> -u <QRadar_user_name> -o /tmp/logSources.json
For example, your command might look like this:
/opt/ibm/si/services/dlc/current/script/importLogSourceConfig.sh -h 192.0.2.0 -u admin -o /tmp/logSources.json
- When prompted, enter the QRadar account password.
- When the import configuration file is successfully validated, the following message
appears:
Successfully validate log source file '/tmp/logSources.json'
Tip: If the logSources.json file does not validate successfully,
review the /var/log/dlc/logSources.log file for details. Fix any issues, and
then run the validation script again.
- Copy the validated import configuration file to
/opt/ibm/si/services/dlc/conf/.
Tip: Back up the current logSources.json file so you have a version
of the file that is saved elsewhere.
- Restart Disconnected Log
Collector by typing
the following command: