(Apologies if this appears twice.  I don't see the first post attempt.)

I have a custom DSM I wrote, with lots of custom fields and mappings.  The vendor changed the name of the product, so I want to change the name of the DSM and log source type.  What is the best way to do this?  I don't see any options to rename or duplicate an existing DSM.  I don't want to re-enter all that data manually.

------------------------------
Dan Zerkle
------------------------------

Dan,
you are right, there is no duplicate or copy button available for DSMs.
But there is a workaround available. Each DSM will create an log source extension (LSX) which defines your event mappings, regex etc.
Step1 Please go to Log source extensions and select your log source custom extension named "mylogsourceCustom_ext" and copy it to mylogsource2.
Step2 Create a new DSM logsource type called mylogsource2 (new name only) and leave DSMeditor
Step3 Edit "mylogsource2Custom_ext" parameters in log source extensions to make it default for mylogsource2
Now you can create new logsources or change existing logsources to use the new dsmtype using the new name mylogsource2

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Fri February 11, 2022 03:45 PM
From: Dan Zerkle
Subject: How to rename DSM / log source?

(Apologies if this appears twice.  I don't see the first post attempt.)

I have a custom DSM I wrote, with lots of custom fields and mappings.  The vendor changed the name of the product, so I want to change the name of the DSM and log source type.  What is the best way to do this?  I don't see any options to rename or duplicate an existing DSM.  I don't want to re-enter all that data manually.

------------------------------
Dan Zerkle
------------------------------

Thank you Karl!  That sounds a lot easier than editing all the XML by hand.

If I do this, will I still be able to use the DSM editor to modify the new log source type and its new LSX?

------------------------------
Dan Zerkle
------------------------------

Original Message:
Sent: Tue February 15, 2022 11:59 AM
From: Karl Jaeger
Subject: How to rename DSM / log source?

Dan,
you are right, there is no duplicate or copy button available for DSMs.
But there is a workaround available. Each DSM will create an log source extension (LSX) which defines your event mappings, regex etc.
Step1 Please go to Log source extensions and select your log source custom extension named "mylogsourceCustom_ext" and copy it to mylogsource2.
Step2 Create a new DSM logsource type called mylogsource2 (new name only) and leave DSMeditor
Step3 Edit "mylogsource2Custom_ext" parameters in log source extensions to make it default for mylogsource2
Now you can create new logsources or change existing logsources to use the new dsmtype using the new name mylogsource2

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]

Original Message:
Sent: Fri February 11, 2022 03:45 PM
From: Dan Zerkle
Subject: How to rename DSM / log source?

(Apologies if this appears twice.  I don't see the first post attempt.)

I have a custom DSM I wrote, with lots of custom fields and mappings.  The vendor changed the name of the product, so I want to change the name of the DSM and log source type.  What is the best way to do this?  I don't see any options to rename or duplicate an existing DSM.  I don't want to re-enter all that data manually.

------------------------------
Dan Zerkle
------------------------------

Hi Dan,
yes you can! DSM and LSX are tied closely together by using the default parameter in LSX edit.
The resulting LSX is using the default name "mylogsource2Custom_ext" as described above. DSM editor can be used as usual.
If you dont wanna have two different LSX for both DSMs you can assign the existing LSX to both logsources if you like. Screenshot provided below.


------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Tue February 15, 2022 01:25 PM
From: Dan Zerkle
Subject: How to rename DSM / log source?

Thank you Karl!  That sounds a lot easier than editing all the XML by hand.

If I do this, will I still be able to use the DSM editor to modify the new log source type and its new LSX?

------------------------------
Dan Zerkle

Original Message:
Sent: Tue February 15, 2022 11:59 AM
From: Karl Jaeger
Subject: How to rename DSM / log source?

Dan,
you are right, there is no duplicate or copy button available for DSMs.
But there is a workaround available. Each DSM will create an log source extension (LSX) which defines your event mappings, regex etc.
Step1 Please go to Log source extensions and select your log source custom extension named "mylogsourceCustom_ext" and copy it to mylogsource2.
Step2 Create a new DSM logsource type called mylogsource2 (new name only) and leave DSMeditor
Step3 Edit "mylogsource2Custom_ext" parameters in log source extensions to make it default for mylogsource2
Now you can create new logsources or change existing logsources to use the new dsmtype using the new name mylogsource2

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]

Original Message:
Sent: Fri February 11, 2022 03:45 PM
From: Dan Zerkle
Subject: How to rename DSM / log source?

(Apologies if this appears twice.  I don't see the first post attempt.)

I have a custom DSM I wrote, with lots of custom fields and mappings.  The vendor changed the name of the product, so I want to change the name of the DSM and log source type.  What is the best way to do this?  I don't see any options to rename or duplicate an existing DSM.  I don't want to re-enter all that data manually.

------------------------------
Dan Zerkle
------------------------------

Dan/Karl,

Karl's solution will work for migrating the LSX, but the LSX is just one artifact generated by the DSM Editor; it only defines the logic for how standard properties are parsed. If Dan has defined any custom property expressions, event mappings, QID records, or config in the Configuration tab (Log Source Autodetection, Property Autodetection), none of these other things will be migrated to the new type. Plus any searches, rules, routing rules, retention buckets, etc that key off the log source type will still refer to the original type, since those linkages are based on internal ID, not name.

So a better solution is to just rename the custom log source type. This is not possible to do via the UI, but it can be done using the REST API directly, by doing a POST to /api/config/event_sources/log_source_management/log_source_types/<log source type ID, will be > 4000 for a custom type> and passing in a Body like so:

{ "name": "New Name" }

This will simply rename the custom type and leave everything else intact so no need to migrate or duplicate any other configuration. This cahnge can be done directly from the interactive API doc page at https://<QRadar console>/api_doc, or you can do it via curl, postman, etc.

If you also want to rename all log source instances of the type (since they probably have the old type name included as part of their name) this could be done fairly easily with the bulk edit feature of the Log Source Management app.

Cheers

Colin

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message:
Sent: Tue February 15, 2022 01:25 PM
From: Dan Zerkle
Subject: How to rename DSM / log source?

Thank you Karl!  That sounds a lot easier than editing all the XML by hand.

If I do this, will I still be able to use the DSM editor to modify the new log source type and its new LSX?

------------------------------
Dan Zerkle

Original Message:
Sent: Tue February 15, 2022 11:59 AM
From: Karl Jaeger
Subject: How to rename DSM / log source?

Dan,
you are right, there is no duplicate or copy button available for DSMs.
But there is a workaround available. Each DSM will create an log source extension (LSX) which defines your event mappings, regex etc.
Step1 Please go to Log source extensions and select your log source custom extension named "mylogsourceCustom_ext" and copy it to mylogsource2.
Step2 Create a new DSM logsource type called mylogsource2 (new name only) and leave DSMeditor
Step3 Edit "mylogsource2Custom_ext" parameters in log source extensions to make it default for mylogsource2
Now you can create new logsources or change existing logsources to use the new dsmtype using the new name mylogsource2

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]

Original Message:
Sent: Fri February 11, 2022 03:45 PM
From: Dan Zerkle
Subject: How to rename DSM / log source?

(Apologies if this appears twice.  I don't see the first post attempt.)

I have a custom DSM I wrote, with lots of custom fields and mappings.  The vendor changed the name of the product, so I want to change the name of the DSM and log source type.  What is the best way to do this?  I don't see any options to rename or duplicate an existing DSM.  I don't want to re-enter all that data manually.

------------------------------
Dan Zerkle
------------------------------

Dan/Colin,

the APT approach is far better than my suggested solution. Wasnt aware of that. :-(
About the many artefacts and relations between objects I didnt talk in the 1st place because I didnt want to make things too complicated.

Another way of manipulating DSMs is using CMT, cause it keeps all relationships between IDs and objects. Still creating new IDs or replacing existing ones may become an issue depending on what you do in detail. However generally this tool does not only work in migration scenarios but in the same QRadar environment as well.

In the renaming scenario using the REST API is just fine, thanks a lot for your hint.

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Thu February 17, 2022 05:01 AM
From: COLIN HAY
Subject: How to rename DSM / log source?

Dan/Karl,

Karl's solution will work for migrating the LSX, but the LSX is just one artifact generated by the DSM Editor; it only defines the logic for how standard properties are parsed. If Dan has defined any custom property expressions, event mappings, QID records, or config in the Configuration tab (Log Source Autodetection, Property Autodetection), none of these other things will be migrated to the new type. Plus any searches, rules, routing rules, retention buckets, etc that key off the log source type will still refer to the original type, since those linkages are based on internal ID, not name.

So a better solution is to just rename the custom log source type. This is not possible to do via the UI, but it can be done using the REST API directly, by doing a POST to /api/config/event_sources/log_source_management/log_source_types/<log source type ID, will be > 4000 for a custom type> and passing in a Body like so:

{ "name": "New Name" }

This will simply rename the custom type and leave everything else intact so no need to migrate or duplicate any other configuration. This cahnge can be done directly from the interactive API doc page at https://<QRadar console>/api_doc, or you can do it via curl, postman, etc.

If you also want to rename all log source instances of the type (since they probably have the old type name included as part of their name) this could be done fairly easily with the bulk edit feature of the Log Source Management app.

Cheers

Colin

------------------------------
COLIN HAY
IBM Security

Original Message:
Sent: Tue February 15, 2022 01:25 PM
From: Dan Zerkle
Subject: How to rename DSM / log source?

Thank you Karl!  That sounds a lot easier than editing all the XML by hand.

If I do this, will I still be able to use the DSM editor to modify the new log source type and its new LSX?

------------------------------
Dan Zerkle

Original Message:
Sent: Tue February 15, 2022 11:59 AM
From: Karl Jaeger
Subject: How to rename DSM / log source?

Dan,
you are right, there is no duplicate or copy button available for DSMs.
But there is a workaround available. Each DSM will create an log source extension (LSX) which defines your event mappings, regex etc.
Step1 Please go to Log source extensions and select your log source custom extension named "mylogsourceCustom_ext" and copy it to mylogsource2.
Step2 Create a new DSM logsource type called mylogsource2 (new name only) and leave DSMeditor
Step3 Edit "mylogsource2Custom_ext" parameters in log source extensions to make it default for mylogsource2
Now you can create new logsources or change existing logsources to use the new dsmtype using the new name mylogsource2

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]

Original Message:
Sent: Fri February 11, 2022 03:45 PM
From: Dan Zerkle
Subject: How to rename DSM / log source?

(Apologies if this appears twice.  I don't see the first post attempt.)

I have a custom DSM I wrote, with lots of custom fields and mappings.  The vendor changed the name of the product, so I want to change the name of the DSM and log source type.  What is the best way to do this?  I don't see any options to rename or duplicate an existing DSM.  I don't want to re-enter all that data manually.

------------------------------
Dan Zerkle
------------------------------