Adding a log source
If the log source is not automatically discovered, manually add it by using the QRadar® Log Source Management app so that you can receive events from your network devices or appliances.
If you are using QRadar 7.3.1 to 7.5.0 Update Package 3, you can also add a log source by using the Log Sources icon. In QRadar 7.5.0 Update Package 4 and later, when you click the Log Sources icon, the QRadar Log Source Management app opens.
Before you begin
- Log in to QRadar.
- Click the Admin tab.
- To open the app, click the QRadar Log Source Management app icon.
- Click .
- On the Select a Log Source Type page, select a log source type, and click Select Protocol Type.
- On the Select a Protocol Type page, select a protocol, and click Configure Log Source Parameters.
- On the Configure the Log Source parameters page, configure the log
source parameters, and click Configure Protocol Parameters. The following table describes the common log source parameters for all log source types:
Table 1. Common log source parameters Parameter Description Enabled When this option is not enabled, the log source does not collect events. Credibility Credibility represents the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events and can be adjusted as a response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Specifies the QRadar host where the log source's protocol runs. Outbound protocols initiate connections to remote systems from this host, and inbound protocols initialize their port listeners on this host to receive event data sent by remote systems.This parameter is not specifically used for assigning a log source to an Event Collector appliance. Because the Event Collector component exists on the following hosts, the protocols can be assigned to any of these hosts:
Tip: All QRadar hosts that can collect events have an active syslog listener on port 514, whether they have any syslog log sources that are assigned or not. The Target Event Collector parameter is not used for log sources with the Syslog protocol.
- Event Collectors
- Event Processors
- Data Gateways (QRadar on Cloud only)
- The QRadar Console
When multiple events with the same QID, Username, Source IP, Destination IP, Destination Port, Domain, and Log Source occur within a short time interval (10 seconds), they are coalesced (bundled) together.
Because the events are bundled together, the number of events that are stored is decreased, which reduces the storage cost of events. Coalescing events might lead to loss of information, including raw payloads or event properties. The default is enabled. For more information, see How does coalescing work in QRadar?
- On the Configure the protocol parameters page, configure the
- If your configuration can be tested, click Test Protocol Parameters.
- If your configuration cannot be tested, click Finish.
- In the Test protocol parameters window, click Start Test.
- To fix any errors, click Configure Protocol Parameters. Configure the parameters and click Test Protocol Parameters.
- Click Finish.