If the log source is not automatically discovered, manually add a log source for QRadar to receive events from your
network devices or appliances.
If you are using QRadar
7.3.0 or earlier, you can add a log source in QRadar only by using the
Log Sources icon.
If you are using QRadar
7.3.1 and later, you can add a log source by using the QRadar Log Source
Management app.
Procedure
- Log on to QRadar.
- Click the Admin tab.
- Click the Log Sources icon.
- Click Add.
- Configure the common parameters for your log source.
- Configure the protocol-specific parameters for your log source.
The following table describes the common log source parameters for all log source types:
Table 2. Common log source parameters
Parameter |
Description |
Enabled |
When this option is not enabled, the log source does not collect
events. |
Credibility |
Credibility represents the integrity or validity of events that are created by
a log source. The credibility value that is assigned to a log source can increase or decrease based
on incoming events and can be adjusted as a response to user-created event rules. The credibility of
events from log sources contributes to the calculation of the offense magnitude and can increase or
decrease the magnitude value of an offense. |
Target Event Collector |
Specifies the QRadar host where the log source's
protocol runs. Outbound protocols initiate connections to remote systems from this host, and inbound
protocols initialize their port listeners on this host to receive event data sent by remote systems.
This parameter is not specifically used for assigning a log source to an Event Collector appliance. Because
the Event Collector component
exists on the following hosts, the protocols can be assigned to any of these hosts:
- Event Collectors
- Event Processors
- Data Gateways (QRadar on Cloud only)
- The QRadar
Console
Tip: All QRadar
hosts that can collect events have an active syslog listener on port 514, whether they have any
syslog log sources that are assigned or not. The Target Event Collector
parameter is not used for log sources with the Syslog protocol.
|
Coalescing Events |
When multiple events with the same QID, Username,
Source IP, Destination IP, Destination
Port, Domain, and Log Source occur within
a short time interval (10 seconds), they are coalesced (bundled) together.
Because the events are bundled together, the number of events that are stored is decreased, which
reduces the storage cost of events. Coalescing events might lead to loss of information, including
raw payloads or event properties. The default is enabled. For more information, see How does coalescing work in QRadar?
|
- Click Save.
- On the Admin tab, click Deploy
Changes.