IBM Support

QRadar: Difference between disabling and deleting a QRadar log source

Question & Answer


Question

What is the difference between disabling and deleting a QRadar log source?

Answer

Disabled and deleted are logical functions, and the following points explain difference between them.
Disabling a log source
  • When a log source is disabled from QRadar, the log source remains visible in the Log Source Management (app). image1
  • You can see the log source in LSM App and also be able to search data associated with a disabled log source.
  • Whether the disabled log source is capable of auto-discovery or not, it is not re-created automatically since it exists.
  • If you remove a log source, then any search or rule that references to this particular log source eventually breaks.
Deleting a log source
  • When a log source is deleted from QRadar, the log source is not visible in Log Source Management (app).
  • You cannot see the “Add filter” list to search for the data that is associated with the deleted log source.
  • If the deleted log source is capable of auto-discovery, then after deleting, it is again re-created automatically.
Note: We recommend disabling a log source rather than deleting a log source.

    [{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

    Document Information

    Modified date:
    28 March 2023

    UID

    ibm16955491