Use the QRadar Log Source
Management app to create a configuration file
that you copy to your Disconnected Log
Collector
computer or VM. You can use this method without connecting to the internet. Transferring the log
source configuration ensures that you can use the QRadar Log Source
Management app to configure the protocols
that Disconnected Log
Collector collects.
Procedure
- In the QRadar Log Source
Management app, click Disconnected
Log Collectors.
- From the list of your registered Disconnected Log
Collector log source configurations,
select the Disconnected Log
Collector that you are
using, and from the menu, click Export Log Sources.
- Enter a password for the export file, and then click Start.
An encrypted configuration file downloads to your computer and is named
dlc-config-<UUID>.json, where
<UUID> is the identifier that is unique to the Disconnected Log
Collector instance.
- Log in to the Disconnected Log
Collector computer or VM as the root user.
- Copy the encrypted configuration file to the /tmp directory or your
preferred location.
- Generate an import configuration file by running the following command:
/opt/ibm/si/services/dlc/current/script/importLogSourceConfig.sh -i dlc-config-<UUID>.json -o /tmp/logSources.json
- When prompted, enter the password that you specified for the encrypted configuration
file.
The following message appears after the import configuration file is successfully
validated:
Successfully validate log source file '/tmp/logSources.json'
Tip: If the logSources.json file does not validate successfully,
review the /var/log/dlc/logSources.log file for details. Fix any issues, and
then run the validation script again.
- Copy the validated import configuration file to
/opt/ibm/si/services/dlc/conf/.
Tip: Back up the current logSources.json file so you have a version
of the file that is saved elsewhere.
- Restart Disconnected Log
Collector by typing the following command: