Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Adding a Log Source by using the Log Sources Icon

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

If you are using JSA 7.3.0 or earlier, you can add a log source in JSA by using the Log Sources icon.

If you are using JSA 7.3.1 and later, you can add a log source by using JSA Log Source Management app.

  1. Log in to JSA.

  2. Click the Admin tab.

  3. Click the Log Sources icon.

  4. Click Add.

  5. Configure the common parameters for your log source.

  6. Configure the protocol-specific parameters for your log source..

  7. The following table describes the common log source parameters for all log source types:

    Table 1: Common Log Source Parameters

    Parameter

    Description

    Enabled

    When this option is not enabled, the log source does not collect events.

    Credibility

    Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.

    Target Event Collector

    Specifies the JSA host where the log source's protocol runs. Outbound protocols initiate connections to remote systems from this host, and inbound protocols initialize their port listeners on this host to receive event data sent by remote systems.

    This parameter is not specifically used for assigning a log source to an Event Collector appliance. Because the Event Collector component exists on the following hosts, the protocols can be assigned to any of these hosts:

    • Event Collectors
    • Event Processors
    • The JSA Console
    Tip:

    All JSA hosts that can collect events have an active syslog listener on port 514, whether they have any syslog log sources that are assigned or not. The Target Event Collector parameter is not used for log sources with the Syslog protocol.

    Coalescing Events

    When multiple events with the same QID, Username, Source IP, Destination IP, Destination Port, Domain, and Log Source occur within a short time interval (10 seconds), they are coalesced (bundled) together.

    Because the events are bundled together, the number of events that are stored is decreased, which reduces the storage cost of events. Coalescing events might lead to loss of information, including raw payloads or event properties. The default is enabled.

  8. Click Save.

  9. On the Admin tab, click Deploy Changes.

Related Documentation