Adding a log source to receive events

Use the QRadar® Log Source Management app to add new log sources to receive events from your network devices or appliances.

Before you begin

Download and install a device support module (DSM) that supports the log source. A DSM is a software application that contains the event patterns that are required to identify and parse events. The events are parsed from the original format of the event log to the format that QRadar can use. You can install a DSM from IBM® Fix Central (https://www-945.ibm.com/support/fixcentral/). For more information, see the DSM Configuration Guide.

You can also create a custom log source type without a DSM.

Procedure

  1. In the QRadar Log Source Management app, click + New Log Source.
  2. Click Single Log Source.
  3. On the Select a Log Source Type page, select a log source type and click Select Protocol Type.
  4. On the Select a Protocol Type page, select a protocol and click Configure Log Source Parameters.
  5. On the Configure the Log Source parameters page, configure the log source parameters and click Configure Protocol Parameters.
  6. On the Configure the protocol parameters page, configure the protocol-specific parameters.
  7. Optional: If the server certificates for the protocol are uploaded to the centralized certificate store, select the certificate from the Server Certificate Store Alias list.

    If your log source requires a server certificate that is not uploaded to the centralized certificate store, and you have System Administrator permission, you can upload the certificate from the IBM QRadar Certificate Management app.

    • If the QRadar Certificate Management app is installed, in the Server Certificate Store Alias list, select Upload new certificate. The Certificate Management app opens.
    • If the QRadar Certificate Management app is not installed, in the Server Certificate Store Alias list, select Download Certificate Management app to open the IBM Security App Exchange and download the app.
  8. Optional: If your configuration can be tested, the Test Protocol Parameters option is listed in the Steps pane. When you test your configuration, you can identify any errors with your protocol parameters. For more information, see Testing log sources. To test your configuration, follow these steps:
    1. Click Test Protocol Parameters, and then click Start Test.
    2. To fix any errors, click Configure Protocol Parameters.
      On the Configure the protocol parameters page, configure the protocol-specific parameters, then test your protocol again.

      If your configuration can be tested, but you don't want to test it, click Skip Test and Finish.

  9. Click Finish.

Results

Your log source is listed on the Log Sources page.