IBM
Disconnected Log Collector is configured to
collect log information from UDP and TCP syslog log sources. You can add other log sources by
modifying the logSources.json configuration file, which defines the log
sources.
Note: For IBM
QRadar to parse
the incoming log source information from Disconnected Log
Collector, you must install the latest log
source protocol on your IBM
QRadar Console.
readme files are provided for the additional log source protocols that you
can use with Disconnected Log
Collector, and a script is
provided to validate your log source definitions. The validation script ensures that the
json file is properly formatted, and also validates the values that you provide
for each parameter against the schema definition in the readme file.
Note: Define the new log source definitions in a file other than the
logSources.json file, and then add the definitions into
logSources.json when the configuration is complete and valid.
Disconnected Log
Collector regularly scans
logSources.json file for changes. If you edit the
logSources.json file directly, your log source collection might be disrupted if
you enter invalid information.
Procedure
Log in to the Disconnected Log
Collector computer or
VM as the root user.
In a text editor, create a JSON file with the following
structure:
{
"LogSources":[
]
}
From the /opt/ibm/si/services/dlc/conf/template directory, open the
readme file for the log source that you want to add to Disconnected Log
Collector.
Paste the log source definition (the readme file contents) between
the square brackets in your JSON file.
Important: If you're adding multiple log sources, each log source definition must have
opening and closing curly braces. Each log source section must be separated by a comma, as in the
following example.Figure 1. logSources.json formatting example
Edit the values as needed for your environment.
A readme file is provided for each log source json
template that contains information about the values for each parameter.
Tip: Refer to the QRadar DSM Configuration
Guide for more information about the parameters. The DSM documentation refers to the
parameters as they are displayed in the IBM
QRadar application. The
logSources.json parameters are named according to the database labels.
Note: Each log source has a unique DatabaseId value. If you add log sources,
you must ensure that the DatabaseId value is unique for the new log sources. If
there are duplicate DatabaseId values in the
logSources.json file, only the first log source is recognized by Disconnected Log
Collector. The validation script identifies
duplicate DatabaseId values.
Do the following to encrypt a log source password:
Trouble: If the file does not validate successfully, review the
/var/log/dlc/<file_to_validate>.log file for details. Fix
any issues, and then run the validation script again.
When your file is valid, copy the new log source definitions into the
logSources.json file.
Go to the /opt/ibm/si/services/dlc/conf
directory.
Make a backup of the logSources.json file.
Copy the new log source definitions into the logSources.json
file. Ensure that you add the log source definitions between the square brackets in the
logSources.json file.
Save the logSources.json file.
Note:Disconnected Log
Collector regularly scans the
logSources.json file for changes. Any changed log sources are restarted and new
sources are started. Changes are detected within 5 minutes.
To validate the logSources.json file after you add new protocols,
run the following command:
Trouble: If the logSources.json file does not validate
successfully, review the /var/log/dlc/logSources.log file for details. Fix any
issues, and then run the validation script again.
If you are defining JDBC for MySQL, copy the JDBC driver (for example,
mysql-connector-java-<version>.jar) to the
/opt/ibm/si/services/dlc/current/lib directory.
If you modified the TLS syslog log source values, restart Disconnected Log
Collector by typing the following
command:
