IBM Support

QRadar: How to change log source type in bulk by using the QRadar API

How To


Summary

The Log Source Management app does not allow users to change the log source type in bulk. This article explains how to change the log source type in bulk for log sources by using the QRadar API.

Steps

Follow these three steps to change in bulk the log source type.

Get the type_id

The type_id is the log source type id of the new log source type.

  1. SSH to the QRadar console.
  2. Run the following PSQL command, but replace <log_source_type> with the log source type name you want to change: 
    psql -U qradar -c "select id,devicetypename from sensordevicetype;" | grep -i <log_source_type>
    For this example, we use the Aruba log source type: 
    psql -U qradar -c "select id,devicetypename from sensordevicetype;" | grep -i Aruba
  391 | ArubaClearPass
    The id is 391.

    Result
    The command returns the log source type id (type_id) of the log source that the admin wants to edit.

Get the log source IDs

The log source IDs are used to identify the log sources to be edited.

  1. Log in to the QRadar user interface as an admin user.
  2. Go to the Admin section.
  3. Scroll to the Data Sources section and select Log Sources. This action opens the Log Source Management app.
    image-20230428215250-1
  4. Search for the log sources that you want to edit and note the ID. The ID is number that the Log Source Management app displays at the left side:
    image-20230428220023-1
    This example uses the six log sources displayed on the previous capture. They were created by using the EMC VMWare log source type and the admin needs to change to Aruba.

    Result
    The administrator noted the log source IDs of the log source to be edited.

Use the type_id and the log source IDs to apply the changes

With the type_id and the log source IDs the administrator can change the log source type in Interactive API for Developers.

  1. Log in to the QRadar user interface.
  2. In the left menu, open the Interactive API for Developers.
    image-20230428221034-1
  3. From the left menu, select config, then event_sources, select log_source_management, and log_sources:
    image-20230428223014-1
  4. Scroll down to the Parameters section, on the log_source_data parameter enter in JSON format the log source IDs and the log source type ID of the new log source type:
    image-20230428223724-1
    Sample of the log_source_data used in this example: 
    [
  {
     "type_id": 391,
    "id": 2590
}
,
{
        "type_id": 391,
    "id":2588}
,
{
        "type_id": 391,
    "id":2582}
,
{
        "type_id": 391,
    "id":2584}
,
{
        "type_id": 391,
    "id":2585}
,
{
        "type_id": 391,
    "id":2586}	
]
  5. Click Try It Out! and confirm that the response is 202. If it is not 202, then there is something wrong with the JSON format.
    image-20230502092201-1
  6. Confirm on the Log Source Management app that the log sources have the new log source type:
    image-20230428224936-1

    Result
    The administrator is able to change the log source type in multiple log sources by using the QRadar API.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS012352373","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
02 May 2023

UID

ibm16984767

Page Feedback