IBM Support

QRadar: Log Source Management: Expected Protocol Not Available For Custom Log Source

Question & Answer


Question

My custom Log Source does not have an expected protocol available as a protocol option in Log Source Management app:

Protocol not available

Cause

Sometimes, after the migration of DSMs from one QRadar® system to another, a custom Log Source can lose its configured protocol association.

Answer

The association between the custom Log Source type and associated protocol needs to be added again.
Procedure:
  1. Obtain the Log Source's 'log_source_id' from the Log Source Management app:
    Log Source ID
  2. SSH to the QRadar® console's CLI.
  3. Obtain the custom Log Source's 'device_type_id': 
    psql -U qradar -c "select id,devicename,devicetypeid as device_type_id from sensordevice where id=<log_source_id>;"
  4. Obtain the protocol's 'protocol_id': 
    psql -U qradar -c "select id as protocol_id, protocoldescription from sensorprotocol where protocolname like '%<protocol_name>%';"
  5. Check for the custom Log Source type and protocol association: 
    psql -U qradar -c "select * from sensordeviceprotocols where sensordevicetypeid=<device_type_id> and sensorprotocolid=<protocol_id>;"
  6. Once you have confirmed that the custom Log Source type and protocol associations do not exist, add the association: 
    psql -U qradar -c "insert into sensordeviceprotocols values (device_type_id>,<protocol_id>);"
  7. Perform step 5 again to confirm that the custom Log Source type and protocol association now exist.
  8. Refresh the Log Source Management app (if open) or open the app again.
  9. Open the custom Log Source to confirm that the expected protocol is now available as a protocol option.
Protocol now available

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS004459267","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
03 December 2020

UID

ibm16373254

Page Feedback