So, what this error is trying to explain is that you can have two log sources that use the same IP configured as long as they are of a different type. However, there cannot be two log sources using the same IP, same log source type, and same protocol.
If you edit one of the log sources and change the Log Source Identifier field, it should allow you to save your changes.
Why this error is generated
If you have a Windows log source with protocol WinCollect for log source identifier 10.10.10.10, you can't add another one. That's not specific to editing, bulk adding, or the Log Source Management app. What you are hitting is a general rule of QRadar around log source data is to not combined data from unique sources. That three-point uniqueness key is always enforced. This is an annoying error and is generated directly from the API when the issue occurs, so it is not very user friendly. I believe dev has a work item to touch up the text to make it more user friendly. If you change the Log Source Identifier field for one of the log sources, you should be able to save your changes.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------
Original Message:
Sent: Thu February 16, 2023 05:10 AM
From: Tahir Yagubov
Subject: Cannot change log source type
Hello,
I changed log source type of autodiscovered Forcepoint V Series log source to NGINX HTTP Server. But when I want to revert it to Forcepoint V Series, I get following error:
The combination of 'type_id','protocol_type_id' and 'identifier' (from 'protocol_parameters') must be unique.
Is there anyone to encounter this error?
------------------------------
Tahir Yagubov
------------------------------