Uploading extension documents to QRadar

You can create multiple extension documents and then upload them and associated them to various log source types. The logic from the log source extension (LSX) is then used to parse the logs from the unsupported log source.

Extension documents can be stored anywhere before you upload to IBM® QRadar®.

Procedure

  1. On the Admin tab, click Log Source Extensions.
  2. Click Add.
  3. Assign a name.
  4. Optional: If you want to apply this log source extension to more than one instance of a log source type, select the log source type from the available Log Source Type list and click the add arrow to set it as the default.

    Setting the default log source type applies the log source extension to all events of a log source type, including those log sources that are automatically discovered.

    Ensure that you test the extension for the log source type first to ensure that the events are parsed correctly.

  5. Click Browse to locate the LSX that you saved and then click Upload.

    QRadar validates the document against the internal XSD and verifies the validity of the document before the extension document is uploaded to the system.

  6. Click Save and close the window.
  7. Associate the log source extension to a log source.
    1. From the Admin tab, click Data Sources > Log Sources.
    2. Double-click the log source type that you created the extension document for.
    3. From the Log Source Extension list, select the document that you created.
    4. Click Save and close the window.