Troubleshooting
Problem
Administrators can experience issues where a log source type has events that are so similar that Traffic Analysis (TA), which is QRadar’s Log Source Auto Detection engine, incorrectly creates the log source. This is especially true when there are not enough events coming from the log source for Traffic Analysis to correctly identify the log source type. When this occurs, administrators might need to disable the offending log source type.
Resolving The Problem
Before you begin
This procedure can be completed on QRadar V7.3.1 and later Console appliances. After auto detection is disabled for a log source type, administrators must manually add the log source from the Log Source Management App until you re-enable auto detection.
This procedure can be completed on QRadar V7.3.1 and later Console appliances. After auto detection is disabled for a log source type, administrators must manually add the log source from the Log Source Management App until you re-enable auto detection.
- Using an SSH session login to the QRadar Console as the root user.
Note: This utility can only be run from the QRadar Console appliance. QRadar on Cloud administrators must contact support to disable log sources for their Console appliances. - To view a list of log source types and the current detection state for Traffic Analysis, type:
/opt/qradar/support/autodetection_config.py -l
- When prompted, type the username and password for the admin user. For example,
/opt/qradar/support/autodetection_config.py -l Username: admin Password: ************* LOG SOURCE TYPE ID | NAME | DETECTION STATE -------------------+-----------------------------------------------------------+---------------- 194 | Cisco ACE Firewall | ENABLED 90 | Cisco ACS | ENABLED 182 | Cisco Aironet | ENABLED 10 | Apache HTTP Server | ENABLED 280 | Application Security DbProtect | ENABLED 22 | Nortel Multiprotocol Router | ENABLED 299 | Arpeggio SIFT-IT | ENABLED
- Locate the Log Source Type ID for the log source you want to disable and note the number.
- To disable auto discovery for a log source, type the following command:
/opt/qradar/support/autodetection_config.py -i <Log Source Type ID> -d
- Type the username and password for the admin account.
- Optional. Administrators can enable Traffic Analysis in the future with the -e command. For example,
/opt/qradar/support/autodetection_config.py -i 24 -e [WARNING]: Changes will ONLY be reflected if Autodetection - Use Global settings is enabled. [INFO]: Updating (1) ad_config_record(s)... Username: admin Password: ************ LOG SOURCE TYPE ID | NAME | UPDATED STATE -------------------+------------------------------------------------------+-------------- 24 | Solaris Operating System Authentication Messages | ENABLED
Results
Administrators can disable or enable a log source type from the command line when administrators need to resolve traffic analysis problems for incoming events. If you experience an issue with this utility or you are a QRadar on Cloud administrator, contact QRadar Support for assistance to disable auto detection for specific log sources types.
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
21 July 2021
UID
ibm10886895