Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Disabling a Log Source Type from being Autodetected with tatoggle.pl

 

Problem

Description: How does an administrator disable log sources from being automatically created in JSA?

Solution

Data sent to JSA from event sources can be automatically detected by Traffic Analysis (TA), which reviews incoming syslog event payloads to determine if the events can be matched to a log source type and creates a new log source automatically. Automatically detected log sources are displayed in the Log Sources window on the Admin tab of JSA. The tatoggle.pl utility is a legacy tool that allows JSA 7.3.1 administrators to disable log source autodetection for an entire log source type.

In certain scenarios, administrators might want to disable log source auto discovery to prevent log sources from being automatically created. For example, when log sources are being incorrectly created or when the data from the event source is known to send through very slowly and keeps entering the auto discovery queue. In these cases, it can help administrators to disable log source auto discovery on each managed host that receives those events. Disabling a Log Source Type with tatoggle requires users to manually create for that Log Source Type.

Ensure that you take the following precautions:

These instructions are intended only for JSA 7.3.1. JSA 7.3.2 and later versions can use the DSM Editor interface to disable auto discovery for a log source type.

  • Download the tatoggle.zip file to your local folder.

  • Log source auto discovery works on a managed host level, you must use tatoggle on each managed host that receives the syslog events you do not want to auto discover.

  • The ECS-EC service must be restarted on all appliances where Log Source Types were disabled. Restarting the ECS-EC service stops event collection and a maintenance window is suggested for administrators who need to disable log source auto discovery.

  • It is recommended that you disable Log Source Types only if the Log Source Type is not used in your deployment.

  • Inform other administrators when you disable auto discovery for a log source.

To disable a Log Source Type in JSA 7.3.1:

  1. Using an SCP client, upload tatoggle.zip to /opt/qradar/bin/ on your JSA Console.
  2. Using SSH, log in to the JSA Console as the root user.
  3. Navigate to the /opt/qradar/bin/ directory.
  4. To extract the file, type the following command:

    unzip tatoggle.zip

  5. To copy tatoggle.pl to all Managed Hosts in the deployment, type the following command:

    /opt/qradar/support/all_server.sh -p tatoggle.pl -k -r /opt/qradar/bin/

  6. Set permissions on tatogggle.pl with the command:

    /opt/qradar/support/all_server.sh -C -k "chmod 755 /opt/qradar/bin/tatoggle.pl”

  7. Open an SSH session to the managed host receiving the syslog events that need to be excluded from traffic analysis.
  8. To disable log source auto discovery, type the following command:

    /opt/qradar/bin/tatoggle.pl

  9. From the list, use the n or p keys to locate the Log Source Type to disable.
  10. Type the number of the Log Source Type to disable. Note

    If you make a mistake or decide to quit, press q to exit without saving.

    Figure 1: Toggle DSM Autodetection
    Toggle DSM Autodetection
  11. Repeat the process with each Log Source Type to be disabled.
  12. Press s to save and exit.Note

    Restarting ECS-EC temporarily stops event collection while the service restarts. Administrators with strict outage policies can complete the next step during a scheduled maintenance window for their organization.

  13. Restart the ecs-ec service: systemctl restart ecs-ec.
  14. Repeat this procedure on each JSA managed host where you need to have a log source auto detection disabled.

Results

Log source auto detection is disabled for Log Source Types and future log sources that match are not created automatically. In JSA 7.3.2 or later, the DSM Editor includes a user interface feature to enable or disable log source auto detection.