IBM Security QRadar

 View Only
  • 1.  Log source app

    Posted Thu October 10, 2019 03:02 AM
    ​Hi,

    i am working with the new logsource app.
    It seems to work normal, for the most part.
    If i modify an existing logsource made by the build-in logsource module in anyway it complains about two unresolved issues before i can save it.

    It concerns two fields.
    1. Forward event filter type
    2. Forwart event filter

    The app says: A value is required for this field

    In the old build-in applicatie this is set to No Filtering
    So no big issue, i was wondering if any of you experienced the same behaviour?

    I am now trying the module for creating multiple log-sources in one time.

    For example if i create a single log source and take the following steps...
    Step 1 - Select Logsource type
    Microsoft Windows Security Event Log

    Step 2 - Select Protocol Type
    WinCollect

    Step 3 - Configure the Log Source parameters
    Name* - Computer1-Room1
    Description My first computer
    The rest of the parameter in this section are filled static

    Step 4 - Configure the protocal parameters
    Logsource indentifier* Computer1
    The rest of the parameter in this section are filled static

    Now if i want to do the using the Multiple Logsource method
    i do the same thing
    No problem in the first two steps

    In step 3 the apps speaks about
    Name Template*
    Description Template

    In step 4 i am missing the
    Logsource indentifier...


    Finally in step 5 they ask for a CSV file
    Its not clear to me how it should be presented to the system

    It says one line per logsource.

    I hoped it to be something like
    Computer1-Room1,My first computer,Computer1

    But this does not work.

    Any hints on how this works would be appricated :-)









    ------------------------------
    Jan-dirk Prins
    ------------------------------


  • 2.  RE: Log source app

    Posted Thu October 10, 2019 03:48 AM
    Finally figured it out.

    I did have to uncheck the description box
    and it will add from the first column of the CSV line
    So now it reads
    My first computer,Computer1

    The name template you can use to buid up the name of configuration step 3
    Enable/disable editing of Name Template
    Name Template *Template for setting the name of the selected log sources.

    The following variables are available:

    The ID of the log source.
    This variable is not available when creating a new log source

    $$NAME$$
    The name of the log source.

    $$DESCRIPTION$$
    The description of the log source.

    $$SOURCE_ADDRESS$$
    The Log Source Identifier.

    $$LOG_SOURCE_TYPE$$
    The log source type name.

    $$PROTOCOL_TYPE$$
    The log source protocol type name.


    The import value from the CSV file is the logsource indentifier.


    ------------------------------
    Jan-dirk Prins
    ------------------------------