Use the QRadar® Log Source
Management app to add
multiple log sources to IBM®
QRadar at the same time. You can add as many log sources as you want.
If you are using QRadar
V7.3.0 or earlier, you can add a log
source in QRadar only by using
the Log Sources icon.
In QRadar 7.5.0 Update
Package 4 and later, when you click the Log Sources icon, the QRadar Log Source
Management app opens.
Procedure
-
In the QRadar Log Source
Management app, click
+ New Log Source and then click Multiple Log Sources.
-
On the Select a Log Source type page, select a log source type and click
Select Protocol Type.
-
On the Select a protocol type page, select a protocol type and click
Configure Common Log Source Parameters.
- On the Configure the common Log Source parameters page, configure
the parameters that you want to set for all of the log sources.
- If you have log sources that have different log source parameter values, clear the
relevant check boxes, and then click Configure Common Protocol
Parameters.
- On the Configure the common protocol parameters page, configure the
protocol-specific parameters that you want to set for all of the log sources.
- If you have log sources that have different protocol parameter values, clear the relevant
check boxes, and then click Configure Individual Parameters.
- On the Configure the individual parameters page, upload a CSV file
that contains the individual log source parameter values, and click Add.
A log source is created for each line of this file, except for empty lines and comment
lines that begin with a hashtag (#). Each line must contain the
comma-separated list of parameter values for the Log Source Identifier field,
and any other deferred parameters, in the order shown in the deferred parameters table.
- Click Bulk Template to download the file template and add the
parameters that you want to configure, in order.
For example, if you deferred the
Enabled and
Groups parameters, the CSV file must
contain the following values:
Enabled, Groups, Log Source Identifier
If
you include a comma in a parameter, enclose the value in double quotation marks.
- If you do not upload a CSV file:
- Click Manual to specify the values for the parameters that you
deferred.
- Enter a Log Source Identifier for each new log source and click
Add.
- Click Finish.
What to do next
Test your log sources. For more information, see Testing log sources