IBM Support

QRadar: Disable Custom Event Properties For Non-Existent Log Sources



Custom Event Properties are enabled by default. In some cases, users can require to disable Custom Event Properties that are not associated with a Log Source that is configured in the system.

Resolving The Problem

All Custom Event Properties are enabled by default. In some cases, some Custom Event Properties are related to non-existent or not configured Log Sources. Having these Custom Event Properties that are enabled is not a performance concern. They do not affect system performance if they are not used.

If you prefer to disable these unused Custom Event Properties, the recommendation is to do it from the QRadar User Interface following these steps. This procedure is the only supported method to disable a Custom Event Property.

Before you begin: Before, considering disabling a Custom Event Property make sure that you will not use this Log Source Type at a future date. If you disable a Custom Event Property, you will no longer parse events for that Log Source Type if added later.

  1. Click Admin tab.
  2. Scroll down to Data Sources.
  3. Click Custom Event Properties.
  4. Order By the Log Source Type.

  5. Locate the Custom Event Properties with N/A in the Log Source Column. These are not currently assigned to a Log Source Type in the system.
  6. Highlight any Custom Event Property that you do not need and click Disable.

The selected Custom Event Property is now disabled.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Events","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018