Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Log Source Detection

JSA automatically detects log sources that send syslog messages to an Event Collector.

Log sources are detected when JSA receives a specific number of identifiable syslog messages. The traffic analysis component processes syslog messages, identifies the DSMs that are installed on the system, and then assigns the appropriate DSM to the log source. Automatically discovered log sources are displayed in the Log Sources window.

JSA might not automatically detect log sources that have low activity levels. You must add these devices manually.


DSMs are used to interpret log source data. To receive log source data, you must ensure that the correct DSMs are installed in JSA.

For more information about automatically detecting log sources, see the Juniper Secure Analytics Configuring DSMs Guide.

Displaying Log Sources

A log source is any external device or system that is configured to either send events to your JSA system or to be collected by your JSA system. You can display the log sources that are automatically discovered.

  1. On the navigation menu, click Admin.

  2. On the navigation menu, click Data Sources.

  3. Click the Log Sources icon.


Use the QRadar Use Case Manager app to visualize log source type coverage per rule. You can also use the app to identify gaps in rule coverage from content extensions.

Download the app at the IBM Security App Exchange.

Adding Log Sources Manually

You can manually add log sources that JSA does not detect automatically.

  1. Click the Admin tab.

  2. On the navigation menu, click Data Sources.

  3. Click the Log Sources icon.

  4. On the toolbar, click Add.

  5. Configure the parameters.

    The following table describes the common log source parameters for all log source types:

    Table 1: Log Source Parameters



    Log Source Identifier

    The IPv4 address or host name that identifies the log source.

    If your network contains multiple devices that are attached to a single management console, specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.


    When this option is not enabled, the log source does not collect events and the log source is not counted in the license limit.


    Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events, or it is adjusted in response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.

    Target Event Collector

    Specifies the JSA Event Collector that polls the remote log source.

    Use this parameter in a distributed deployment to improve Console system performance by moving the polling task to an Event Collector.

    Coalescing Events

    Increases the event count when the same event occurs multiple times within a short time interval. Coalesced events provide a way to view and determine the frequency with which a single event type occurs on the Log Activity tab.

    When this check box is clear, events are viewed individually and events are not bundled.

    New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. You can use this check box to override the default behavior of the system settings for an individual log source.

  6. Click Save.

  7. On the Admin tab, click Deploy Changes.