IBM Support

QRadar: How to create a Report for all active Log Sources

Question & Answer


How can I set up a weekly report that displays all active log sources and total events per log source?


Follow these steps to create the report on the status of your active log sources:

  1. Log in to the QRadar console.
  2. Click the Reports tab.
  3. Click Actions.
  4. Click Create.
  5. This opens up the Report Wizard.
  6. Choose the Report Schedule and click Next.
  7. Choose the Layout of the report and click Next.
  8. Enter a Report Title in the text Box.
  9. In the Chart Type drop-down menu, select Log Sources.
  10. This brings you to a new page. Under Log Sources, click the check box that says All log sources.
  11. Under Data Options, set the Order by the option to Status, and Ascending.
    This report lists all log sources, with the enabled log sources at the top of the report.Reports
  12. For other Data Options, including EnabledProtocolTarget CollectorAuto Discovered, and Name select one of these options from the drop-down menu.
Note: If you don't want certain log sources to show up in reports, you can create an LSG for LS's which you want to omit from the Report.
The final output generates a report that displays all active log sources and total events per log source.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtmAAA","label":"Reports"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.2.0;7.3.0"}]

Document Information

Modified date:
16 November 2022