Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Adding a Log Source

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

If you are using JSA 7.3.1 to 7.3.3, you can also add a log source by using the Adding a Log Source by using the Log Sources Icon.

Ensure that the JSA Log Source Management app is installed on your JSA Console. For more information about installing the app, see Installing the JSA Log Source Management app.

  1. Log in to JSA.

  2. Click the Admin tab.

  3. To open the app, click the JSA Log Source Management app icon.

  4. Click New Log Source > Single Log Source.

  5. On the Select a Log Source Type page, select a log source type, and click Select Protocol Type.

  6. On the Select a Protocol Type page, select a protocol, and click Configure Log Source Parameters.

  7. On the Configure the Log Source parameters page, configure the log source parameters, and click Configure Protocol Parameters.

    The following table describes the common log source parameters for all log source types:

    Table 1: Common Log Source Parameters

    Parameter

    Description

    Enabled

    When this option is not enabled, the log source does not collect events.

    Credibility

    Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.

    Target Event Collector

    Specifies the JSA host where the log source's protocol runs. Outbound protocols initiate connections to remote systems from this host, and inbound protocols initialize their port listeners on this host to receive event data sent by remote systems.

    This parameter is not specifically used for assigning a log source to an Event Collector appliance. Because the Event Collector component exists on the following hosts, the protocols can be assigned to any of these hosts:

    • Event Collectors
    • Event Processors
    • The JSA Console
    Tip:

    All JSA hosts that can collect events have an active syslog listener on port 514, whether they have any syslog log sources that are assigned or not. The Target Event Collector parameter is not used for log sources with the Syslog protocol.

    Coalescing Events

    When multiple events with the same QID, Username, Source IP, Destination IP, Destination Port, Domain, and Log Source occur within a short time interval (10 seconds), they are coalesced (bundled) together.

    Because the events are bundled together, the number of events that are stored is decreased, which reduces the storage cost of events. Coalescing events might lead to loss of information, including raw payloads or event properties. The default is enabled.

  8. On the Configure the protocol parameters page, configure the protocol-specific parameters.

    • If your configuration can be tested, click Test Protocol Parameters.

    • If your configuration cannot be tested, click Finish.

  9. In the Test protocol parameters window, click Start Test.

  10. To fix any errors, click Configure Protocol Parameters. Configure the parameters and click Test Protocol Parameters.

  11. Click Finish.

Related Documentation