Adding a log source

If the log source is not automatically discovered, manually add it by using the QRadar® Log Source Management app so that you can receive events from your network devices or appliances.

If you are using QRadar 7.3.1 to 7.5.0 Update Package 3, you can also add a log source by using the Log Sources icon. In QRadar 7.5.0 Update Package 4 and later, when you click the Log Sources icon, the QRadar Log Source Management app opens.

Before you begin

Ensure that the QRadar Log Source Management app is installed on your QRadar Console. For more information about installing the app, see Installing the QRadar Log Source Management app.

Procedure

  1. Log in to QRadar.
  2. Click the Admin tab.
  3. To open the app, click the QRadar Log Source Management app icon.
  4. Click New Log Source > Single Log Source.
  5. On the Select a Log Source Type page, select a log source type, and click Select Protocol Type.
  6. On the Select a Protocol Type page, select a protocol, and click Configure Log Source Parameters.
  7. On the Configure the Log Source parameters page, configure the log source parameters, and click Configure Protocol Parameters.
    The following table describes the common log source parameters for all log source types:
    Table 1. Common log source parameters
    Parameter Description
    Enabled When this option is not enabled, the log source does not collect events.
    Credibility Credibility represents the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events and can be adjusted as a response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.
    Target Event Collector Specifies the QRadar host where the log source's protocol runs. Outbound protocols initiate connections to remote systems from this host, and inbound protocols initialize their port listeners on this host to receive event data sent by remote systems.
    This parameter is not specifically used for assigning a log source to an Event Collector appliance. Because the Event Collector component exists on the following hosts, the protocols can be assigned to any of these hosts:
    • Event Collectors
    • Event Processors
    • Data Gateways (QRadar on Cloud only)
    • The QRadar Console
    Tip: All QRadar hosts that can collect events have an active syslog listener on port 514, whether they have any syslog log sources that are assigned or not. The Target Event Collector parameter is not used for log sources with the Syslog protocol.
    Coalescing Events

    When multiple events with the same QID, Username, Source IP, Destination IP, Destination Port, Domain, and Log Source occur within a short time interval (10 seconds), they are coalesced (bundled) together.

    Because the events are bundled together, the number of events that are stored is decreased, which reduces the storage cost of events. Coalescing events might lead to loss of information, including raw payloads or event properties. The default is enabled. For more information, see How does coalescing work in QRadar?
  8. On the Configure the protocol parameters page, configure the protocol-specific parameters.
    • If your configuration can be tested, click Test Protocol Parameters.
    • If your configuration cannot be tested, click Finish.
  9. In the Test protocol parameters window, click Start Test.
  10. To fix any errors, click Configure Protocol Parameters. Configure the parameters and click Test Protocol Parameters.
  11. Click Finish.

Adding a log source by using the Log Sources icon

If the log source is not automatically discovered, manually add a log source for QRadar to receive events from your network devices or appliances.

If you are using QRadar 7.3.0 or earlier, you can add a log source in QRadar only by using the Log Sources icon.

If you are using QRadar 7.3.1 and later, you can add a log source by using the QRadar Log Source Management app.

Procedure

  1. Log on to QRadar.
  2. Click the Admin tab.
  3. Click the Log Sources icon.
  4. Click Add.
  5. Configure the common parameters for your log source.
  6. Configure the protocol-specific parameters for your log source.
    The following table describes the common log source parameters for all log source types:
    Table 2. Common log source parameters
    Parameter Description
    Enabled When this option is not enabled, the log source does not collect events.
    Credibility Credibility represents the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events and can be adjusted as a response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.
    Target Event Collector Specifies the QRadar host where the log source's protocol runs. Outbound protocols initiate connections to remote systems from this host, and inbound protocols initialize their port listeners on this host to receive event data sent by remote systems.
    This parameter is not specifically used for assigning a log source to an Event Collector appliance. Because the Event Collector component exists on the following hosts, the protocols can be assigned to any of these hosts:
    • Event Collectors
    • Event Processors
    • Data Gateways (QRadar on Cloud only)
    • The QRadar Console
    Tip: All QRadar hosts that can collect events have an active syslog listener on port 514, whether they have any syslog log sources that are assigned or not. The Target Event Collector parameter is not used for log sources with the Syslog protocol.
    Coalescing Events

    When multiple events with the same QID, Username, Source IP, Destination IP, Destination Port, Domain, and Log Source occur within a short time interval (10 seconds), they are coalesced (bundled) together.

    Because the events are bundled together, the number of events that are stored is decreased, which reduces the storage cost of events. Coalescing events might lead to loss of information, including raw payloads or event properties. The default is enabled. For more information, see How does coalescing work in QRadar?
  7. Click Save.
  8. On the Admin tab, click Deploy Changes.