Importing a Disconnected Log Collector

Use the QRadar® Log Source Management app to import an existing Disconnected Log Collector instance into your QRadar deployment.

About this task

When you import a Disconnected Log Collector instance into your QRadar deployment, you have access to the following features:

  • Domain Mapping: You can assign the Disconnected Log Collector instance to a domain. Any events that are forwarded to QRadar by this Disconnected Log Collector instance are associated with the assigned domain. You can only apply Domain Mapping for Disconnected Log Collector instances that forward events to QRadar through TLS over TCP communication.
  • Log Source Configuration Management: You can manage the log sources of the disconnected log collector with the QRadar Log Source Management app. This feature is only available with Disconnected Log Collector version 1.4 or later.

Procedure

  1. In the QRadar Log Source Management app, click the navigation menu icon (Icon for main navigation menu) and then click Disconnected Log Collectors.
  2. Click Import Disconnected Log Collector > Upload Configuration.
  3. To import the configuration from the Disconnected Log Collector host, click Upload File.
  4. Choose your configuration, click Open, and then click Register Disconnected Log Collector.
  5. On the Register the Disconnected Log Collector page, configure the parameters, and click Import Log Sources.
  6. On the Import Log Sources page, select the appropriate import action for each imported protocol configuration.
  7. Click Finish.