Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IBM DLC Metrics

The JSA DSM for IBM Disconnected Log Collector Metrics collects Syslog metric events from an IBM Disconnected Log Collector Metrics device.

To integrate IBM Disconnected Log Collector Metrics with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the Juniper Downloads onto your JSA Console:

    • DSM Common RPM

    • IBM DLC Metrics DSM RPM

  2. Configure your IBM Disconnected Log Collector Metrics device to send events to JSA.

  3. If JSA does not automatically detect the log source, add an IBM Disconnected Log Collector Metrics log source on the JSA Console.

IBM DLC Metrics DSM Specifications

When you configure IBM Disconnected Log Collector, understanding the specifications for the IBM DLC Metrics DSM can help ensure a successful integration. For example, knowing what the supported version of IBM Disconnected Log Collector is before you begin can help reduce frustration during the configuration process.

The following table describes the specifications for the IBM DLC Metrics DSM.

Table 1: IBM DLC Metrics DSM Specifications

Specification

Value

Manufacturer

IBM

DSM name

IBM DLC Metrics

RPM file name

DSM-IBMDLCMetrics-JSA_versionbuild_ number.noarch.rpm

Supported version

1.5

Protocol

Syslog, Forwarded

Event format

LEEF

Recorded event types

All DLC Metrics event types

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

IBM Disconnected Log Collector documentation

Configuring IBM Disconnected Log Collector to Communicate with JSA

To forward events to JSA, you must edit the configuration file on your Disconnected Log Collector (DLC) console.

IBM Disconnected Log Collector must be configured to collect events and forward them to JSA.

IBM Disconnected Log Collector 1.5 sends some metric events to JSA to monitor some key statistics from your Disconnected Log Collector. Disconnected Log Collector sends 3 different metric events once every minute.

The following table describes the 3 metric event types that are sent to JSA.

Table 2: Metric Event Types that are Sent to JSA

Component name

Metric ID

Description

EventProcessingFilterQueue

SpillFilesCount

If the incoming event rate exceeds the capacity to process the events, the count increases.

ecs-dlc_dlc_TCP_TO_QRADAR

SpillFilesCount

If DLC is disconnected, or the incoming event rate exceeds outgoing EPS setting in DLC, the count increases.

Source Monitor

EventRate

The current eps rate that is collected by DLC.

  1. Log in to your Disconnected Log console. You must have permission to edit files and restart services.

  2. Go to the /opt/ibm/si/services/dlc/conf/config.json file.

  3. Change the line "DLCMetricsEventsEnabled":false" to "DLCMetricsEventsEnabled":true", and then save your changes.

  4. To restart the Disconnected Log Collector service, type the following command:

    systemctl restart dlc

If JSA does not automatically detect the log source, add a Forwarded Log Source Parameters for IBM DLC Metrics on the JSA Console.

Forwarded Log Source Parameters for IBM DLC Metrics

If JSA does not automatically detect the log source, add an IBM Disconnected Log Collector Metrics log source on the JSA Console by using the Forwarded protocol.

When you use the Forwarded protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Forwarded events from IBM Disconnected Log Collector Metrics:

Table 3: Forwarded Log Source Parameters for the IBM DLC Metrics DSM

Parameter

Value

Log Source type

IBM DLC Metrics

Protocol Configuration

Forwarded

Log Source Identifier

The hostname of your IBM Disconnected Log Collector device. If Disconnected Log Collector is configured for TLS, add the UUID of the device. For example, qavm88-145.q1labs.lab277f291fdca9- 4c59-978a-9d6deb0223b0.

IBM DLC Metrics Sample Event Message

Use this sample event message to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

IBM Disconnected Log Collector Sample Message When You Use the Syslog protocol

The following sample event message is a standard IBM DLC Metrics message that contains data for one of the Disconnected Log Collector device metrics in the payload.

Table 4: JSA field names and highlighted values in the event payload

JSA field name

Highlighted values in the event payload

Event ID

DLCMetrics

Source IP

10.0.2.3 is extracted from the src parameter.

Device time

2020-07-30T15:01:00.759-04:00

Log Source Identifier

ibm.dlcmetrics.test

Tip:

The Event Category value in JSA is always IBMDLCMetrics.