When you configure your Disconnected Log
Collector as a log source, the events are
forwarded to IBM®
QRadar®.
Procedure
- In the QRadar Log Source
Management app, click
Log Sources.
- Click + New Log Source and then click Single Log
Source or Multiple Log Sources.
- On the Select a Log Source type page, select a log source type.
Then, type the Name and select the Disconnected Log
Collector that you registered. Click
Select Protocol Type.
Tip: Choosing a Disconnected Log
Collector
instance removes the Target Event Collector log source parameter field
because the Disconnected Log
Collector instance
collects data for the log source.
- On the Select a protocol type page, select a protocol type that your
Disconnected Log
Collector supports, and then click
Configure Log Source Parameters.
- On the Configure the Log Source parameters page, choose the log
source configuration from which the log source receives events. Then, configure the other parameters
that you want to set for the log source.
- On the Configure the protocol parameters page, configure the
protocol-specific parameters.
Table 1. Disconnected Log Collector
protocol parameters
| Parameter |
Description |
| Log Source Identifier |
Type a unique name for the log source.
The Log Source Identifier can be any valid value and does not need to
reference a specific server. It can also be the same value as the Log Source
Name. If you have more than one configured DLC log source, ensure that you give each one
a unique name.
|
| Listen Port |
Enter the QRadar server
port to receive Disconnected Log Collector events. The default port is 32500.
32500 or 32501 are the only ports available for DLC.
|
| Authentication by Common Name |
The Disconnected Log Collector authentication method. If selected, authentication is by the
Common Name (UUID) of the client certificate, which is passed by Disconnected Log Collector. If not
selected, authentication is by the alias name of the certificate issuer, which is passed by
Disconnected Log Collector. |
| CN/Alias Allowlist |
If authentication is by Common Name, enter the UUID of the Disconnected Log Collector instance as
the Common Name. If there’s more than one instance, enter a comma-separated list of the UUIDs.
If authentication is by the alias name, enter the alias name of the root CA that is in the
truststore for the Disconnected Log Collector certificate.
Each listening port is limited to 50 UUID connections.
Tip: To see a list of aliases that are in the truststore, run the
following command: keytool -list -v -keystore
/etc/pki/ca-trust/extracted/java/cacerts | grep Alias
|
| Key Store File Name |
IBM Support provides
the name of the file in the support ticket. |
| Key Store Password |
IBM Support provides
the password of the file in the support ticket. |
| Check Revocation |
Select the checkbox to check whether the certificate is revoked. |
| Trust Store File Path |
IBM Support provides
the path of the truststore in the support ticket. |
| Trust Store File Password
|
IBM Support provides
the password of the truststore in the support ticket. |
What to do next
Choose one of the following methods to transfer your log source configuration to the Disconnected Log
Collector computer or VM.