IBM QRadar

Hi

Anyone using DLC (Disconnected Log Collector) ? I am trying to test the log source configuration on DLC 1.4.0. And somehow I am failing on validation of the JSON file. I tried to create it by hand (coping from template) but also created it using Log Source Management App and tried to import. In both cases I run into an error:

2020-Jul-27 12:31:16.724 ERROR - "SMB Tail" does not belong the schema.

2020-Jul-27 12:31:16.724 ERROR - The logsource 1 fail the validation.

Do I need to install some RPMs on the DLC? Or what is going on?

Hi Support Member!

In my learning journey I just installed a DLC and noticed everything went fine in the side of CentOS7 running the DLC, but in QRadar (trial mode) I just can't find where to accept the DLC or to register it! Can you tell me if you had to prepare anything before in QRadar side? Installations, adjustments, etc?

I followed the "IBM Disconnected Log Collector Version 1.4.0 IBM Disconnected Log Collector Guide" without problems in the DLC guide, can I help you?

This article from Jose Bravo can help you debug:

https://ibm.ent.box.com/s/ich0yyiw54y0ek6s9a66xvtjku8e42rc/file/411271771102

Best,

Eduardo Ellery

For the SMB Tail there was an issue in DLC 1.4.0. It's fixed in 1.5.0

Manual fix for 1.4.0:

if [ -e /opt/ibm/si/services/dlc/conf/schema/SMBTail.json ]; then

mv -v "/opt/ibm/si/services/dlc/conf/schema/SMBTail.json" "/opt/ibm/si/services/dlc/conf/schema/SMB Tail.json"

fi

Are you using UDP or TLS ?

Anyway you need to create a "listener"/"gateway" log source on Qradar side. Probably you are pushing logs but Qradar is not listening on the port 32500 by default.

So in Qradar:

• Create a new log source
• Log Source Type = Universal DSM
• Protocol Type = IBM QRadar DLC Protocol
• Disconcted Log Collector = must be empty
• Target Event Collector = <the Event collector/processor that will get those>
• Protocol = UDP (or TLS later but for that you have to create the certificates)
• CN/Alias Allowlist = the DLC UUID allowed to connect