You can create multiple extension
documents and then upload them and associated them to various log
source types. The logic from the log source extension (LSX) is then
used to parse the logs from the unsupported log source.
Extension
documents can be stored anywhere before you upload to IBM®
QRadar®.
Procedure
-
On the Admin tab, click Log Source Extensions.
-
Click Add.
- Assign a name.
- Optional: If you want to apply this log source
extension to more than one instance of a log source type, select the
log source type from the available Log Source Type list
and click the add arrow to set it as the default.
Setting
the default log source type applies the log source extension to all
events of a log source type, including those log sources that are
automatically discovered.
Ensure that you test the extension
for the log source type first to ensure that the events are parsed
correctly.
- Click Browse to locate the LSX that
you saved and then click Upload.
QRadar validates
the document against the internal XSD and verifies the validity of
the document before the extension document is uploaded to the system.
- Click Save and close the window.
- Associate the log source
extension to a log source.
- From the Admin tab, click .
- Double-click the log source type that you created the
extension document for.
- From the Log Source Extension list,
select the document that you created.
- Click Save and close the window.