IBM Support

QRadar: How to exclude Log Source types from being discovered by Auto Detection



Administrators can experience issues where a log source type has events that are so similar that Traffic Analysis (TA), which is QRadar’s Log Source Auto Detection engine, incorrectly creates the log source. This is especially true when there are not enough events coming from the log source for Traffic Analysis to correctly identify the log source type. When this occurs, administrators might need to disable the offending log source type.

Resolving The Problem

Before you begin
This procedure can be completed on QRadar V7.3.1 and later Console appliances. After auto detection is disabled for a log source type, administrators must manually add the log source from the Log Source Management App until you re-enable auto detection.
  1. Using an SSH session login to the QRadar Console as the root user.
    Note: This utility can only be run from the QRadar Console appliance. QRadar on Cloud administrators must contact support to disable log sources for their Console appliances.
  2. To view a list of log source types and the current detection state for Traffic Analysis, type:
    /opt/qradar/support/ -l
  3. When prompted, type the username and password for the admin user. For example,
    /opt/qradar/support/ -l
    Username: admin
    Password: *************
    LOG SOURCE TYPE ID | NAME                                                      | DETECTION STATE
    194                | Cisco ACE Firewall                                        | ENABLED
    90                 | Cisco ACS                                                 | ENABLED
    182                | Cisco Aironet                                             | ENABLED
    10                 | Apache HTTP Server                                        | ENABLED
    280                | Application Security DbProtect                            | ENABLED
    22                 | Nortel Multiprotocol Router                               | ENABLED
    299                | Arpeggio SIFT-IT                                          | ENABLED
  4. Locate the Log Source Type ID for the log source you want to disable and note the number.
  5. To disable auto discovery for a log source, type the following command:
    /opt/qradar/support/ -i <Log Source Type ID> -d
  6. Type the username and password for the admin account.
  7.  Optional. Administrators can enable Traffic Analysis in the future with the -e command. For example,
    /opt/qradar/support/ -i 24 -e
    [WARNING]: Changes will ONLY be reflected if Autodetection - Use Global settings is enabled.
    [INFO]: Updating (1) ad_config_record(s)...
    Username: admin
    Password: ************
    LOG SOURCE TYPE ID | NAME                                                 | UPDATED STATE
    24                 | Solaris Operating System Authentication Messages     | ENABLED

    Administrators can disable or enable a log source type from the command line when administrators need to resolve traffic analysis problems for incoming events. If you experience an issue with this utility or you are a QRadar on Cloud administrator, contact QRadar Support for assistance to disable auto detection for specific log sources types.

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
21 July 2021