Testing log sources

In IBM® QRadar® V7.3.2. Fix Pack 3 or later, test your log source configuration in the QRadar Log Source Management app to ensure that the parameters that you used are correct. The test runs from the host that you specify in the Target Event Collector setting, and can collect sample event data from the target system. The target system is the source of your event data.

Restriction: If the Test tab doesn’t appear for your log source, you can't test the configuration. In QRadar V7.3.2. Fix Pack 3 and QRadar Log Source Management app v5.0.0, only a few protocols are updated to include test capabilities. Ensure that you install the latest version of your protocols to get the testing capability when it is available.

To download a Fix Pack, go to Fix Central (https://www-945.ibm.com/support/fixcentral/).

Procedure

  1. In the QRadar Log Source Management app, select a log source.
  2. On the Log Source Summary pane, click the Test tab, then click Start Test.
    If there is high network latency between the QRadar Console and the log source's Target Event Collector, it might take a moment for the results to appear.
    When the test is successful, checkmarks are displayed next to each of the results and sample event information is generated. If the test is not successful, an X is displayed next to the result that failed, and no sample event information is generated. When one result fails, the test of the other results is canceled.
  3. Optional: If the test is not successful, click Edit to configure the parameter that caused the test to fail and test your log source again.
    Click the drop-down arrow next to the failed result for more information about the error.
  4. Optional: Click the Settings icon Settings icon to edit the Target Event Collector settings.
  5. Optional: Click the Download icon Download icon to view the test results in a .txt file.
  6. Click Close.