Question & Answer
Question
How does an administrator disable log sources from being automatically created in QRadar?
Answer
Data sent to QRadar from event sources can be automatically detected by Traffic Analysis (TA), which reviews incoming syslog event payloads to determine if the events can be matched to a log source type and creates a new log source automatically. Automatically detected log sources are displayed in the Log Sources window on the Admin tab of QRadar. The tatoggle.pl utility is a legacy tool that allows QRadar 7.3.1 administrators to disable log source autodetection for an entire log source type.
In certain scenarios, administrators might want to disable log source auto discovery to prevent log sources from being automatically created. For example, when log sources are being incorrectly created or when the data from the event source is known to send through very slowly and keeps entering the auto discovery queue. In these cases, it can help administrators to disable log source auto discovery on each managed host that receives those events. Disabling a Log Source Type with tatoggle requires users to manually create for that Log Source Type.
In certain scenarios, administrators might want to disable log source auto discovery to prevent log sources from being automatically created. For example, when log sources are being incorrectly created or when the data from the event source is known to send through very slowly and keeps entering the auto discovery queue. In these cases, it can help administrators to disable log source auto discovery on each managed host that receives those events. Disabling a Log Source Type with tatoggle requires users to manually create for that Log Source Type.
Before you begin
- These instructions are intended only for QRadar 7.3.1. QRadar 7.3.2 and later versions can use the DSM Editor interface to disable auto discovery for a log source type.
- Download the tatoggle.zip file to your local workstation.
SHA256 sum: f1bf42521d5db7a1848033d96b2b073621485423b0eaac47edc25641f6eeffaa - Log source auto discovery works on a managed host level, you must use tatoggle on each managed host that receives the syslog events you do not want to auto discover.
- The ECS-EC service must be restarted on all appliances where Log Source Types were disabled. Restarting the ECS-EC service stops event collection and a maintenance window is suggested for administrators who need to disable log source auto discovery.
- It is recommended that Log Source Types be disabled only if the Log Source Type is not used in your deployment.
- Inform other administrators when you disable auto discovery for a log source.
Procedure to disable a Log Source Type in QRadar version 7.3.1
- Using an SCP client upload tatoggle.zip to /opt/qradar/bin/ on your QRadar Console.
- Using SSH, log in to the QRadar Console as the root user.
- Navigate to the /opt/qradar/bin/ directory.
- To extract the file, type: unzip tatoggle.zip
- To copy tatoggle.pl to all Managed Hosts in the deployment, type: /opt/qradar/support/all_server.sh -p tatoggle.pl -k -r /opt/qradar/bin/
- Set permissions on tatogggle.pl with the command: /opt/qradar/support/all_server.sh -C -k "chmod 755 /opt/qradar/bin/tatoggle.pl"
- Open an SSH session to the managed host receiving the syslog events that need to be excluded from traffic analysis.
- To disable log source auto discovery, type: /opt/qradar/bin/tatoggle.pl
- From the list, use the n or p keys to locate the Log Source Type to disable.
- Type the number of the Log Source Type to disable. Note: If you make a mistake or decide to quit, press q to exit without saving.
- Repeat the process with each Log Source Type to be disabled.
- Press s to save and exit.
IMPORTANT: Restarting ECS-EC temporarily stops event collection while the service restarts. Administrators with strict outage policies can complete the next step during a scheduled maintenance window for their organization. - Restart the ecs-ec service: systemctl restart ecs-ec
- Repeat this procedure on each QRadar managed host where you need to have a log source auto detection disabled.
Results
Log source auto detection is disabled for Log Source Types and future log sources that match are not created automatically. In QRadar 7.3.2 or later, the DSM Editor includes a user interface feature to enable or disable log source auto detection.
How to use the DSM Editor to disable a Log Source Type (QRadar 7.3.2 and later)
Procedure to disable a Log Source type:
- Log in to the QRadar Console as an administrator.
- Click the navigation menu (☰), and then click the Admin tab.
- Scroll down to Data Sources > click DSM Editor.
- Select a Log Source Type from the menu that you choose to disable.
- Click Configuration tab.
- Click Enable Log Source Autodetection.
Note: The icon appears gray with an x when disabled. - Click Save.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
07 January 2021
UID
ibm13548091