Administrators must use the Log Source Management application (LSM) as the primary method for adding, editing, and testing log sources in QRadar. This application is especially important for administrators responsible for broad workflow changes in the organization, such as maintaining bulk credential updates, validating configurations, and verifying received events. This technical note discusses the benefits of the Log Source Management application and provides resources where you can learn more.
Benefits of the Log Source Management application
The Log Source management application V5.0.0 and later is an important release as this version streamlines troubleshooting for administrators. Administrators no longer need to SSH to the Console, then open an SSH session the Event Collector and grep through the logs to find out why a log source is not collecting events. The Log Source Management application can now validate connection errors, credentials, permissions, DNS issues, certificate issues, display events collected, and more using protocol test cases. The app can be used to:
- Dramatically reduce the time it takes to troubleshoot configuration issues.
- Tests run from the QRadar host requesting event data, allowing users to validate connection, DNS, port, and certificate issues more efficiently.
- Review error messages without a requirement for command-line access to the QRadar appliance.
- Export test case logs to help support streamline your configuration.
- View sample events with the test functionality to validate collection.
- Export a list of log sources from the QRadar Log Source Management application for review (.csv file).
- Make changes in bulk across different log source types. For example, you can update 25 different log source types with a shared credential where you would need to edit 25 log sources in the legacy user interface.
Where to learn more about using the app
- IBM documentation
- QRadar Log Source Management App 7.0 - Essentials overview on Security Learning Academy
QRadar Log Source Management App - Full Webinar on Security Learning Academy
What QRadar protocols include test cases?
The following list provides information about protocols in QRadar that support test cases to troubleshoot common configuration issues and the release date for the protocol. Test cases provided a pass-fail list of test cases to identify where a configuration issue occurs for the following protocols:
- Amazon AWS S3 REST API (added 4 August 2020)
- Log File (added 24 July 2020)
- VMware vCloud Director (added 15 July 2020)
- Okta REST API (added 7 July 2020)
- Office 365 Message Trace REST API (added 30 June 2020)
- HTTP Receiver (added 15 June 2020)
- Microsoft Azure Event Hubs (added 5 May 2020)
- Microsoft Graph Security API (added 5 May 2020)
- Microsoft DHCP (added 5 May 2020)
- Microsoft Exchange (added 5 May 2020)
- Microsoft IIS (added 5 May 2020)
- Oracle Database Listener (added 5 May 2020)
- SMB Tail (added 5 May 2020)
- IBM Cloud Identity Event Service (added 21 April 2020)
- Google G Suite Activity Reports REST API (added 21 April 2020)
- Google Cloud Pub Sub (added 31 March 2020)
- Cisco Firepower eStreamer (added 26 March 2020)
- JDBC (added 14 Feb 2020)
- Amazon Web Services (added 13 Dec 2019)
- MQ JMS (added 24 October 2019)
- TLS Syslog (added 28 Aug 2019)
- Microsoft Office 365 (added 24 July 2019)
Administrators who are not on the versions listed cannot see the Test tab in the user interface. To use test functionality in the Log Source Management application, you must have the following software versions:
- QRadar 7.3.2 fix pack 3 (18.104.22.16890705120852) or later
- Log Source Management v5.0.0 or later
Note: Administrators who have not yet upgrade to QRadar V7.4.0 must be aware that Log Source Management application replaces the legacy QRadar Log Source user interface in QRadar 7.4.0.
Was this topic helpful?
04 January 2023