IBM DLC Metrics
The JSA DSM for IBM Disconnected Log Collector Metrics collects Syslog metric events from an IBM Disconnected Log Collector Metrics device.
To integrate IBM Disconnected Log Collector Metrics with JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the following RPMs from the Juniper Downloads onto your JSA Console:
DSM Common RPM
IBM DLC Metrics DSM RPM
Configure your IBM Disconnected Log Collector Metrics device to send events to JSA.
If JSA does not automatically detect the log source, add an IBM Disconnected Log Collector Metrics log source on the JSA Console.
IBM DLC Metrics DSM Specifications
When you configure IBM Disconnected Log Collector, understanding the specifications for the IBM DLC Metrics DSM can help ensure a successful integration. For example, knowing what the supported version of IBM Disconnected Log Collector is before you begin can help reduce frustration during the configuration process.
The following table describes the specifications for the IBM DLC Metrics DSM.
Specification |
Value |
---|---|
Manufacturer |
IBM |
DSM name |
IBM DLC Metrics |
RPM file name |
DSM-IBMDLCMetrics-JSA_versionbuild_ number.noarch.rpm |
Supported version |
1.5 |
Protocol |
Syslog, Forwarded |
Event format |
LEEF |
Recorded event types |
All DLC Metrics event types |
Automatically discovered? |
Yes |
Includes identity? |
No |
Includes custom properties? |
No |
More information |
Configuring IBM Disconnected Log Collector to Communicate with JSA
To forward events to JSA, you must edit the configuration file on your Disconnected Log Collector (DLC) console.
IBM Disconnected Log Collector must be configured to collect events and forward them to JSA.
IBM Disconnected Log Collector 1.5 sends some metric events to JSA to monitor some key statistics from your Disconnected Log Collector. Disconnected Log Collector sends 3 different metric events once every minute.
The following table describes the 3 metric event types that are sent to JSA.
Component name |
Metric ID |
Description |
---|---|---|
EventProcessingFilterQueue |
SpillFilesCount |
If the incoming event rate exceeds the capacity to process the events, the count increases. |
ecs-dlc_dlc_TCP_TO_QRADAR |
SpillFilesCount |
If DLC is disconnected, or the incoming event rate exceeds outgoing EPS setting in DLC, the count increases. |
Source Monitor |
EventRate |
The current eps rate that is collected by DLC. |
Log in to your Disconnected Log console. You must have permission to edit files and restart services.
Go to the /opt/ibm/si/services/dlc/conf/config.json file.
Change the line "DLCMetricsEventsEnabled":false" to "DLCMetricsEventsEnabled":true", and then save your changes.
To restart the Disconnected Log Collector service, type the following command:
systemctl restart dlc
If JSA does not automatically detect the log source, add a Forwarded Log Source Parameters for IBM DLC Metrics on the JSA Console.
Forwarded Log Source Parameters for IBM DLC Metrics
If JSA does not automatically detect the log source, add an IBM Disconnected Log Collector Metrics log source on the JSA Console by using the Forwarded protocol.
When you use the Forwarded protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Forwarded events from IBM Disconnected Log Collector Metrics:
Parameter |
Value |
---|---|
Log Source type |
IBM DLC Metrics |
Protocol Configuration |
Forwarded |
Log Source Identifier |
The hostname of your IBM Disconnected Log Collector device. If Disconnected Log Collector is configured for TLS, add the UUID of the device. For example, qavm88-145.q1labs.lab277f291fdca9- 4c59-978a-9d6deb0223b0. |
IBM DLC Metrics Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.
IBM Disconnected Log Collector Sample Message When You Use the Syslog protocol
The following sample event message is a standard IBM DLC Metrics message that contains data for one of the Disconnected Log Collector device metrics in the payload.
<134>1 2020-07-30T15:01:00.759-04:00 ibm.dlcmetrics.test DLC 6074 - - [NOT:0000006000] [10.0.2.3/- -] [-/- -]LEEF:1.0|IBM|DLC|1.6.0.dev.0| DLCMetrics | src = 10.0.2.3 InstanceID=c9fb78ae-41f5-4f8d-8d61-43a87b7e3bc0 ComponentType=sources ComponentName=Source Monitor MetricID=EventRate Value=96.6
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
DLCMetrics |
Source IP |
10.0.2.3 is extracted from the src parameter. |
Device time |
2020-07-30T15:01:00.759-04:00 |
Log Source Identifier |
ibm.dlcmetrics.test |
The Event Category value in JSA is always IBMDLCMetrics.