IBM Support

QRadar: The Log Source Management application

News


Abstract

Administrators must use the Log Source Management application (LSM) as the primary method for adding, editing, and testing log sources in QRadar. This application is especially important for administrators responsible for broad workflow changes in the organization, such as maintaining bulk credential updates, validating configurations, and verifying received events. This technical note discusses the benefits of the Log Source Management application and provides resources where you can learn more.


Content

Overview
The best place to troubleshoot event sources and event collection is the Log Source Management app. When you open a support request around these issues, your support engineer might ask for you to use the app to gather information. The Log Source Management application's test framework assists with configuration updates, bulk changes, testing configurations, validating credentials, and more. Users can open feature requests on the app and submit suggestions such as what protocols need test cases.

r/QRadar - Importance of the Log Source Management App
Can I add troubleshooting logs from the LSM app to my case?
We encourage users with collection or configuration issues to download the error logs from the Log Source Management app and attach the error messages to your case. Adding Log Source Management application test output can help us understand your issues and reduce the time it takes to close your case. Administrators can submit multiple exports from the Log Source Management app to show support how the error output changes as you adjust parameters in your log source configuration. The test functionality helps the support team understand where in the process the error occurred and provides a record of how the error messages changed as you tried to resolve the issue yourself.

image 5870


Benefits of the Log Source Management application
The Log Source management application V5.0.0 and later is an important release as this version streamlines troubleshooting for administrators. Administrators no longer need to SSH to the Console, then open an SSH session the Event Collector and grep through the logs to find out why a log source is not collecting events. The Log Source Management application can now validate connection errors, credentials, permissions, DNS issues, certificate issues, display events collected, and more using protocol test cases. The app can be used to:
  • Dramatically reduce the time it takes to troubleshoot configuration issues.
  • Tests run from the QRadar host requesting event data, allowing users to validate connection, DNS, port, and certificate issues more efficiently.
  • Review error messages without a requirement for command-line access to the QRadar appliance.
  • Export test case logs to help support streamline your configuration.
  • View sample events with the test functionality to validate collection.
  • Export a list of log sources from the QRadar Log Source Management application for review (.csv file).
  • Make changes in bulk across different log source types. For example, you can update 25 different log source types with a shared credential where you would need to edit 25 log sources in the legacy user interface.


Where to learn more about using the app


What QRadar protocols include test cases?
The following list provides information about protocols in QRadar that support test cases to troubleshoot common configuration issues and the release date for the protocol. Test cases provided a pass-fail list of test cases to identify where a configuration issue occurs for the following protocols:
 
  • Amazon AWS S3 REST API (added 4 August 2020)
  • Log File (added 24 July 2020)
  • VMware vCloud Director (added 15 July 2020)
  • Okta REST API (added 7 July 2020)
  • Office 365 Message Trace REST API (added 30 June 2020)
  • HTTP Receiver (added 15 June 2020)
  • Microsoft Azure Event Hubs (added 5 May 2020)
  • Microsoft Graph Security API (added 5 May 2020)
  • Microsoft DHCP (added 5 May 2020)
  • Microsoft Exchange (added 5 May 2020)
  • Microsoft IIS (added 5 May 2020)
  • Oracle Database Listener (added 5 May 2020)
  • SMB Tail (added 5 May 2020)
  • IBM Cloud Identity Event Service (added 21 April 2020)
  • Google G Suite Activity Reports REST API (added 21 April 2020)
  • Google Cloud Pub Sub (added 31 March 2020)
  • Cisco Firepower eStreamer (added 26 March 2020)
  • JDBC (added 14 Feb 2020)
  • Amazon Web Services (added 13 Dec 2019)
  • MQ JMS (added 24 October 2019)
  • TLS Syslog (added 28 Aug 2019)
  • Microsoft Office 365 (added 24 July 2019)
     
When are test cases added and updated?
The development team includes test functionality for new protocols integrations. For example, if IBM releases a new protocol for a vendor API to collect events, test cases are included in the initial protocol release. The development team is porting older protocols to include test cases and this work is on-going. Test cases are added through Protocol-{name} RPMs and delivered to QRadar appliances through automatic updates. Development can add test cases and make improvements through the protocol RPMs without any impact the core Log Source Management app or forcing administrators to update the Log Source Management application. For more information about Weekly Auto Update Server changes, see QRadar: Important auto update server changes for administrators.

 
Requirements
Administrators who are not on the versions listed cannot see the Test tab in the user interface. To use test functionality in the Log Source Management application, you must have the following software versions:
 
  • QRadar 7.3.2 fix pack 3 (7.3.2.20190705120852) or later
  • Log Source Management v5.0.0 or later

    Note: Administrators who have not yet upgrade to QRadar V7.4.0 must be aware that Log Source Management application replaces the legacy QRadar Log Source user interface in QRadar 7.4.0.
Download the app
The Log Source Management app can be downloaded on the IBM X-Force App Exchange (for QRadar v7.3.1/7.4.0, use this version).


Trademark information
  • Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
  • VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware vSphere are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.2;7.3.3;7.4.0;7.4.1;7.4.2;7.4.3;7.5.0;and future releases"}]

Document Information

Modified date:
04 January 2023

UID

ibm16326067