Transferring the log source configuration when you're connected to the internet

Use the Disconnected Log Collector computer or VM to create a configuration file that you copy to your Disconnected Log Collector computer or VM. You can use this method only if you are connected to the internet. Transferring the log source configuration ensures that you can use the QRadar Log Source Management app to configure the protocols that Disconnected Log Collector collects.

Procedure

  1. Log in to the Disconnected Log Collector computer or VM as the root user.
  2. Generate an import configuration file by running the following command:
    /opt/ibm/si/services/dlc/current/script/importLogSourceConfig.sh -h <QRadar_IP_address> -u <QRadar_user_name> -o /tmp/logSources.json
    For example, your command might look like this:
    /opt/ibm/si/services/dlc/current/script/importLogSourceConfig.sh -h 192.0.2.0 -u admin -o /tmp/logSources.json
  3. When prompted, enter the QRadar account password.
  4. When the import configuration file is successfully validated, the following message appears:
    Successfully validate log source file '/tmp/logSources.json'
    Tip: If the logSources.json file does not validate successfully, review the /var/log/dlc/logSources.log file for details. Fix any issues, and then run the validation script again.
  5. Copy the validated import configuration file to /opt/ibm/si/services/dlc/conf/.
    Tip: Back up the current logSources.json file so you have a version of the file that is saved elsewhere.
  6. Restart Disconnected Log Collector by typing the following command:
    systemctl restart dlc