Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Adding a Log Source to Receive Events

 

Use the QRadar Log Source Management app to add new log sources to receive events from your network devices or appliances.

Download and install a device support module (DSM) that supports the log source. A DSM is a software application that contains the event patterns that are required to identify and parse events. The events are parsed from the original format of the event log to the format that QRadar can use. You can install a DSM from Juniper Customer Support. For more information, see the Configuring DSM’s Guide.

  1. In the QRadar Log Source Management app, click + New Log Source.
  2. Click Single Log Source.
  3. On the Select a Log Source Type page, select a log source type and click Select Protocol Type.
  4. On the Select a Protocol Type page, select a protocol and click Configure Log Source Parameters.
  5. On the Configure the Log Source parameters page, configure the log source parameters and click Configure Protocol Parameters.
  6. On the Configure the protocol parameters page, configure the protocol-specific parameters.
  7. If your configuration can be tested, the Test Protocol Parameters option is listed in the Steps pane. When you test your configuration, you can identify any errors with your protocol parameters. For more information, see Testing Log Sources. To test your configuration, follow these steps:
    1. Click Test Protocol Parameters, and then click Start Test.

    2. To fix any errors, click Configure Protocol Parameters.

      On the Configure the protocol parameters page, configure the protocol-specific parameters, then test your protocol again.

      If your configuration can be tested, but you don't want to test it, click Skip Test and Finish.

  8. Click Finish.

Your log source is listed on the Log Sources page.

Adding a Quick Log Source

Use the Quick Log Source option in the QRadar Log Source Management app to add new log sources in a single screen. Add a quick log source if you want to add your log sources faster than using the + New Log Source option.

  1. In the QRadar Log Source Management app, click the + New Log Source drop down arrow. .
  2. Click Quick Log Source.
  3. Configure the parameters in the Log Source Summary pane and click Create.

Test your log sources. For more information, see Testing Log Sources.

Adding Multiple Log Sources At the Same Time

Use the QRadar Log Source Management app to add multiple log sources to QRadar at the same time. You can add as many log sources as you want.

  1. In the QRadar Log Source Management app, click + New Log Source and then click Multiple Log Sources.
  2. On the Select a Log Source type page, select a log source type and click Select Protocol Type.
  3. On the Select a protocol type page, select a protocol type and click Configure Common Log Source Parameters.
  4. On the Configure the common Log Source parameters page, configure the parameters that you want to set for all of the log sources.
  5. If you have log sources that have different log source parameter values, clear the relevant check boxes, and then click Configure Common Protocol Parameters.
  6. On the Configure the common protocol parameters page, configure the protocol-specific parameters that you want to set for all of the log sources.
  7. If you have log sources that have different protocol parameter values, clear the relevant check boxes, and then click Configure Individual Parameters.
  8. On the Configure the individual parameters page, upload a CSV file that contains the individual log source parameter values, and click Add.

    A log source is created for each line of this file, except for empty lines and comment lines that begin with a hashtag (#). Each line must contain the comma-separated list of parameter values for the Log Source Identifier field, and any other deferred parameters, in the order shown in the deferred parameters table.

  9. Click Bulk Template to download the file template and add the parameters that you want to configure, in order.

    For example, if you deferred the Enabled and Groups parameters, the CSV file must contain the following values:

    Enabled, Groups, Log Source Identifier

    If you include a comma in a parameter, enclose the value in double quotation marks.

  10. If you do not upload a CSV file:
    1. Click Manual to specify the values for the parameters that you deferred.

    2. Enter a Log Source Identifier for each new log source and click Add.

  11. Click Finish.

Test your log sources. For more information, see Testing Log Sources.