Adding log sources for Disconnected Log Collector

Disconnected Log Collector is configured to collect log information from UDP and TCP syslog log sources. You can add other log sources by modifying the logSources.json configuration file, which defines the log sources.

About this task

readme files are provided for the additional log source protocols that you can use with Disconnected Log Collector, and a script is provided to validate your log source definitions. The validation script ensures that the json file is properly formatted, and also validates the values that you provide for each parameter against the schema definition in the readme file.

Important: Define the new log source definitions in a file other than the logSources.json file, and then add the definitions into logSources.json when the configuration is complete and valid.

Disconnected Log Collector regularly scans logSources.json file for changes. If you edit the logSources.json file directly, your log source collection might be disrupted if you enter invalid information.

Note: Either when adding log sources with Gateway capabilities and/or when using the logSourceIdentifierPattern variable, if the expressions contain backslash such as "\s" or "\d", then you must escape the backslash char in the JSON. The expression then becomes -
\\s or \\d

Procedure

  1. Log in to the Disconnected Log Collector computer or VM as the root user.
  2. In a text editor, create a JSON file with the following structure: 
    {
       "LogSources":[

       ]
}
  3. From the /opt/ibm/si/services/dlc/conf/template directory, open the readme file for the log source that you want to add to Disconnected Log Collector.
  4. Paste the log source definition (the readme file contents) between the square brackets in your JSON file.
    Important: If you're adding multiple log sources, each log source definition must have opening and closing curly braces. Each log source section must be separated by a comma, as in the following example.
    Figure 1. logSources.json formatting example
    logSources.json formatting example
  5. Edit the values as needed for your environment.

    A readme file is provided for each log source json template that contains information about the values for each parameter.

    Tip: Refer to the QRadar DSM Configuration Guide for more information about the parameters. The DSM documentation refers to the parameters as they are displayed in the IBM QRadar application. The logSources.json parameters are named according to the database labels.
    Note: Each log source has a unique DatabaseId value. If you add log sources, you must ensure that the DatabaseId value is unique for the new log sources. If there are duplicate DatabaseId values in the logSources.json file, only the first log source is recognized by Disconnected Log Collector. The validation script identifies duplicate DatabaseId values.
  6. Do the following to encrypt a log source password:
    1. Run the following command: 
      /opt/ibm/si/services/dlc/current/script/encrypt.sh
    2. Enter the password that you want to encrypt, and again to confirm the password.
      The script displays an encrypted password.
    3. Copy the encrypted password into your log source configuration file.
  7. Validate the configuration file by running the following command: 
    /opt/ibm/si/services/dlc/current/script/log_source_validate.sh <path_to_file>/<file_to_validate>.json

    Ensure that you include the <path_to_file>/<file_to_validate>.json part of the command. Otherwise, the script validates the logSources.json file.

    The following message appears after the file is successfully validated:
    Successfully validate log source file '<path_to_file>/<file_to_validate>.json'
    Trouble: If the file does not validate successfully, review the /var/log/dlc/<file_to_validate>.log file for details. Fix any issues, and then run the validation script again.
  8. When your file is valid, copy the new log source definitions into the logSources.json file.
    1. Go to the /opt/ibm/si/services/dlc/conf directory.
    2. Make a backup of the logSources.json file.
    3. Copy the new log source definitions into the logSources.json file. Ensure that you add the log source definitions between the square brackets in the logSources.json file.
    4. Save the logSources.json file.
      Note: Disconnected Log Collector regularly scans the logSources.json file for changes. Any changed log sources are restarted and new sources are started. Changes are detected within 5 minutes.
  9. To validate the logSources.json file after you add new protocols, run the following command: 
    /opt/ibm/si/services/dlc/current/script/log_source_validate.sh
    The following message appears after the file is successfully validated:
    Successfully validate log source file '/opt/ibm/si/services/dlc/conf/logSources.json'
    Trouble: If the logSources.json file does not validate successfully, review the /var/log/dlc/logSources.log file for details. Fix any issues, and then run the validation script again.
  10. If you are defining JDBC for MySQL, copy the JDBC driver (for example, mysql-connector-java-<version>.jar) to the /opt/ibm/si/services/dlc/current/lib directory.
  11. If you modified the TLS syslog log source values, restart Disconnected Log Collector by typing the following command: 
    systemctl restart dlc