Adding bulk log sources

Use the QRadar® Log Source Management app to add multiple log sources to IBM® QRadar at the same time. You can add as many log sources as you want.

If you are using QRadar V7.3.0 or earlier, you can add a log source in QRadar only by using the Log Sources icon.

In QRadar 7.5.0 Update Package 4 and later, when you click the Log Sources icon, the QRadar Log Source Management app opens.

Procedure

  1. In the QRadar Log Source Management app, click + New Log Source and then click Multiple Log Sources.
  2. On the Select a Log Source type page, select a log source type and click Select Protocol Type.
  3. On the Select a protocol type page, select a protocol type and click Configure Common Log Source Parameters.
  4. On the Configure the common Log Source parameters page, configure the parameters that you want to set for all of the log sources.
  5. If you have log sources that have different log source parameter values, clear the relevant check boxes, and then click Configure Common Protocol Parameters.
  6. On the Configure the common protocol parameters page, configure the protocol-specific parameters that you want to set for all of the log sources.
  7. If you have log sources that have different protocol parameter values, clear the relevant check boxes, and then click Configure Individual Parameters.
  8. On the Configure the individual parameters page, upload a CSV file that contains the individual log source parameter values, and click Add.
    A log source is created for each line of this file, except for empty lines and comment lines that begin with a hashtag (#). Each line must contain the comma-separated list of parameter values for the Log Source Identifier field, and any other deferred parameters, in the order shown in the deferred parameters table.
  9. Click Bulk Template to download the file template and add the parameters that you want to configure, in order.
    For example, if you deferred the Enabled and Groups parameters, the CSV file must contain the following values: 
    Enabled, Groups, Log Source Identifier

    If you include a comma in a parameter, enclose the value in double quotation marks.

  10. If you do not upload a CSV file:
    1. Click Manual to specify the values for the parameters that you deferred.
    2. Enter a Log Source Identifier for each new log source and click Add.
  11. Click Finish.

What to do next

Test your log sources. For more information, see Testing log sources

Adding bulk log sources by using the Log Sources icon

You can add up to 500 log sources at one time. When you add multiple log sources at one time, you add a bulk log source in QRadar. Bulk log sources must share a common configuration.

If you are using QRadar V7.3.0 or earlier, you can add a log source in QRadar only by using the Log Sources icon.

If you are using QRadar V7.3.1 to V7.3.3, you can also add a log source by using the QRadar Log Source Management app.

Procedure

  1. On the Admin tab, click Log Sources.
  2. From the Bulk Actions list, select Bulk Add.
  3. In the Bulk Log Sources window, configure the parameters for the bulk log source.
  4. Optional: Select the Enabled check box to enable the log source. By default, this check box is selected.
  5. Optional: Select the Coalescing Events check box to enable the log source to coalesce (bundle) events. Automatically discovered log sources use the default value that is configured in the Coalescing Events list in the System Settings window on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source, you can override the default value by configuring this check box for each log source. For more information, see the IBM QRadar Administration Guide.
  6. Optional: Select the Store Event Payload check box to enable or disable QRadar from storing the event payload. Automatically discovered log sources use the default value from the Store Event Payload list in the System Settings window on the Admin tab. When you create a new log source or update the configuration for an automatically discovered log source, you can override the default value by configuring this check box for each log source. For more information, see the IBM QRadar Administration Guide.
  7. Upload the log sources by choosing one of the following methods:
    • File Upload - Upload a text file that has one host name or IP per line.

      The text file must contain one IP address or host name per line. Extra characters after an IP address or host names longer than 255 characters can result in a value being bypassed from the text file. The file upload lists a summary of all IP address or host names that were added as the bulk log source.

    • Manual - Enter the host name or IP of the host that you want to add.
  8. Click Add > Save.
    Note: By default, a check box is selected for each log source in the host list. Clear the check box if you want the log source to be ignored. Duplicate host names or IP addresses are ignored.
  9. Click Continue to add the log sources.
  10. On the Admin tab, click Deploy Changes.