Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Log Source Autodetection for Log Source Types

 

Configure Log Source Autodetection for a log source type so that you don't need to manually create a log source for each instance. Log source autodetection configuration also helps to improve the accuracy of detecting devices that share a common format, and can improve pipeline performance by avoiding the creation of incorrectly detected devices.

In JSA 7.3.2, upgrades from previous versions enable global configuration settings, which are stored in the JSA database. The global settings are initially set based on the contents of the TrafficAnalysisConfig.xml file in /opt/qradar/conf/ directory on the JSA Console. If this file was customized before you upgrade to 7.3.2, the customizations are preserved. If different customizations exist on other managed hosts in the deployment, these customizations aren't carried over to the global settings. You can still enable per-event processor autodetection settings by using the configuration file method. Disable global autodetection settings in Admin > System & License Management > Edit Managed Host > Component Management.

When Log Source Autodetection is enabled, if you create a custom log source type that has many instances in your network, you don't need to manually create a log source for each instance.

You can also use the JSA REST API or a command line script to enable and disable which log source types are autodetected. If you use a smaller number of log source types, you can configure which log sources are autodetected to improve the speed of detection

If you choose to revert to the file-based (non-global) settings, you can only configure autodetection by using the config file. The DSM Editor and REST API work only with global settings. Move any custom autodetection configurations to global settings and to the DSM Editor.

Tune the autodetection engine so that log sources aren’t incorrectly identified as the wrong type. Incorrect detection happens when a DSM incorrectly recognizes events as its own even though they don't originate from the type of system that the DSM corresponds to. For example, if the events are formatted similarly to the events the DSM supports, or they contain the same keywords that the DSM is looking for. It can also happen even if a DSM exists for the system that is generating the events, if the events are so similar that the incorrect DSM is successful at parsing the events like the correct DSM. That DSM incorrectly recognizes the events as its own, and the autodetection engine creates a log source that isn't of the correct type.

For example, if you have both Linux and AIX systems in your JSA deployment, and most of them are Linux. You can reduce the Minimum Successful Events for Autodetection parameter or the Minimum Successful Events for Autodetection for Linux. Alternatively, increase the Minimum Successful Events for Autodetection parameter or the Minimum Successful Events for Autodetection parameter for AIX.

  1. On the navigation menu (), click Admin.
  2. In the Data Sources section, click DSM Editor.
  3. Select a log source type or create a new one from the Select Log Source Type window.
  4. Click the Configuration tab.
  5. Click Enable Auto Property Autodetection.
  6. Configure the following parameters:

    Table 1: Global System Notifications Window Parameters

    Parameter

    Description

    Log Source Name Template

    Enter the template for setting the name of autodetected log sources.

    Two variables can be used:

    • $$DEVICE_TYPE$$ corresponds to the log source type name.

    • $$SOURCE_ADDRESS$$ corresponds to the source address the events originate from.

    Log Source Description Template

    Enter the template for setting the description of autodetected log sources

    Two variables can be used:

    • $$DEVICE_TYPE$$ corresponds to the log source type name.

    • $$SOURCE_ADDRESS$$ corresponds to the source address the events originate from.

    Minimum Successful Events for Autodetection

    The minimum number of events from an unknown source that must be successfully parsed for autodetection to occur.

    Minimum Success Rate for Autodetection

    The minimum parsing success percentage for events from an unknown source for autodetection to occur

    Attempted Parse Limit

    The maximum number of events from an unknown source to attempt before abandoning autodetection

    Consecutive Failed Parse Limit

    The number of consecutive events from an unknown source to abandon autodetection.

  7. Click Save.