If you have events that are imported into QRadar, you can select the events
on which you want to base your custom log source type and send them directly to the DSM
Editor.
Procedure
-
Click the Log Activity tab.
-
Pause the incoming results and then highlight one or more events.
Important: You can select only a single log source type, and only the events from log
activity that match the selected log source type are automatically added to the workspace.
-
On the navigation menu, select , and choose one of the following options:
- If you are parsing known events, select your log source type from the list.
- If you are parsing stored events, click Create New. Enter a name for
your log source type in the Log Source Type Name field and click
Save.
- In the Properties tab, select the Override system
properties checkbox for the properties that you want to edit.