Editing bulk log sources

In the QRadar® Log Source Management app, view and edit a number of log sources at the same time. You can edit the parameters of up to 1000 log sources at one time. Edit multiple log sources when the log sources have similar parameters that you want to change, instead of editing each log source individually.

If you are using QRadar V7.3.1 to V7.3.3, you can also edit bulk log sources by using the Log Sources icon.

In QRadar 7.5.0 Update Package 4 and later, when you click the Log Sources icon, the QRadar Log Source Management app opens.

Before you begin

Ensure that the QRadar Log Source Management app is installed on your QRadar Console. For more information about installing the app, see Installing the QRadar Log Source Management app.

Procedure

  1. In the QRadar Log Source Management app, select the relevant log sources that you want to edit.
  2. Click Edit.
  3. In the Log Source Summary pane, select and edit the parameters and click Save.
    Restriction: The Log Source Identifier, Log Source Type and Protocol Configuration parameters cannot be edited in bulk in the QRadar Log Source Management app. To edit the Log Source Type parameter in bulk by using the API, see QRadar: How to change log source type in bulk by using the QRadar API.
  4. In the Name Template and Description Template fields, use the available variables to create the names and descriptions of the selected log sources.
  5. Click the Protocol tab to edit the protocol parameters for the selected log sources. The selected log sources must share a protocol.
  6. Click Save.

Editing bulk log sources by using the Log Sources icon

You can edit log sources in bulk to update the configuration parameters for log sources that were added as part of a bulk log source.

Restriction: The Log Source Identifier, Log Source Type and Protocol Configuration parameters cannot be edited in bulk by using the Log Sources icon. To edit the Log Source Type parameter in bulk by using the API, see QRadar: How to change log source type in bulk by using the QRadar API.

If you are using QRadar V7.3.0 or earlier, you can edit multiple log sources in QRadar only by using the Log Sources icon.

If you are using QRadar V7.3.1 to V7.3.3, you can also edit multiple log sources by using the QRadar Log Source Management app.

Procedure

  1. Click the Admin tab.
  2. In the Data Sources section, click the Log Sources icon.
  3. Select the log sources that you want to edit, and from the Bulk Actions list, select Bulk Edit.
  4. Modify the relevant parameters.
  5. Optional: The list of log sources is for display purposes only. The check boxes are only used during the workflow for adding log sources to QRadar.
  6. Click Save to update your log source configuration.
  7. Click Continue to add the log sources.
  8. Optional: On the Admin tab, click Deploy Changes if you added an IP address or host name to your bulk log source.

Results

The bulk log source is updated.