Configuring a log source for collection by a Disconnected Log Collector
When you configure your Disconnected Log Collector as a log source, the events are forwarded to IBM® QRadar®.
Before you begin
If your log source type is not autodetectable by default, you must do some further configuration to ensure that your forwarded events are detected automatically by QRadar. For more information, see Adding log sources for Disconnected Log Collector and Forwarded events.
- In the QRadar Log Source Management app, click Log Sources.
- Click + New Log Source and then click Single Log Source or Multiple Log Sources.
- On the Select a Log Source type page, select a log source type.
Then, type the Name and select the Disconnected Log
Collector that you registered. Click
Select Protocol Type. Tip: Choosing a Disconnected Log Collector instance removes the Target Event Collector log source parameter field because the Disconnected Log Collector instance collects data for the log source.
- On the Select a protocol type page, select a protocol type that your Disconnected Log Collector supports, and then click Configure Log Source Parameters.
- On the Configure the Log Source parameters page, choose the log source configuration from which the log source receives events. Then, configure the other parameters that you want to set for the log source.
- On the Configure the protocol parameters page, configure the
Table 1. Disconnected Log Collector protocol parameters Parameter Description Log Source Identifier
Type a unique name for the log source.
The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured DLC log source, ensure that you give each one a unique name.
Enter the QRadar server port to receive Disconnected Log Collector events. The default port is 32500.
32500 or 32501 are the only ports available for DLC.
Authentication by Common Name The Disconnected Log Collector authentication method. If selected, authentication is by the Common Name (UUID) of the client certificate, which is passed by Disconnected Log Collector. If not selected, authentication is by the alias name of the certificate issuer, which is passed by Disconnected Log Collector. CN/Alias Allowlist
If authentication is by Common Name, enter the UUID of the Disconnected Log Collector instance as the Common Name. If there’s more than one instance, enter a comma-separated list of the UUIDs.
If authentication is by the alias name, enter the alias name of the root CA that is in the truststore for the Disconnected Log Collector certificate.
Each listening port is limited to 50 UUID connections.Tip: To see a list of aliases that are in the truststore, run the following command:
keytool -list -v -keystore /etc/pki/ca-trust/extracted/java/cacerts | grep Alias
Key Store File Name IBM Support provides the name of the file in the support ticket. Key Store Password IBM Support provides the password of the file in the support ticket. Check Revocation Select the checkbox to check whether the certificate is revoked. Trust Store File Path IBM Support provides the path of the truststore in the support ticket. Trust Store File Password IBM Support provides the password of the truststore in the support ticket.