Hi Aniello
this question pops up regularly year after year and is a typical beginners question.
Yes this is possible but not necessary in most cases. There needs to be a difference in either logsource type or logsource header or logsource protocol used to make it work. In your case password manager and OS sent their messages to rsyslog and from there to QRadar. So what you may need is an LSM extension written by DSMedit to your standard DSM for Ubuntu . This combines the existing standard parser with you own parser for those records coming in and flagged as unknown. Pls check learning videos dor dsmedit, e.g. made by Jos Bravo available at Youtube. Check DSMedit entries here for URL.
Regards, Karl
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------
Original Message:
Sent: Mon February 05, 2024 06:36 AM
From: aniello esposito
Subject: 2 log source on 1 server
Hello everyone
I am a beginner
I would like to know if it is possible to have 2 logsource from 1 server.
I have a linux ubuntu server where I installed password manager.
Which sends the logs to rsyslog of linux ubuntu.
Do I need to use two logsource with 2 different parsers?
Do I log the ubuntu files with one parser and the password manager with the other?
------------------------------
aniello esposito
------------------------------