IBM Security QRadar

 View Only

  • 1.  Safely delete logsource groups

    Posted Fri November 18, 2022 07:01 AM
    Hello all, 
    I am re-working the log source groups structure in our company. I did create lots of new log source groups, lots of those have same names like the old ones but are under new tree structure. I know some of the old ones are used in rules, so I will have to remove them and add the new ones into the rule and then delete the old ones. Unfortunately I did not build the system from start, so I dont know what has dependencies where. I would like to ask for your opinions how to proceed in this matter so I can safely identify all the dependencies and not cause any issues in our production environment.  I know some ppl here have years of experience with such problems. Thank you for any advice!

    ------------------------------
    Tomas Tyser
    ------------------------------


  • 2.  RE: Safely delete logsource groups

    Posted Thu February 23, 2023 08:20 AM

    Hi Tomas, 

    The log source management app allows you to safely delete log sources 
    https://www.ibm.com/docs/en/qradar-common?topic=apps-qradar-log-source-management-app
    But if you need to look at data from the old log sources, the data is still retained but it migh be difficult search on log source name if you deleted them. This was what was recommended in cases before the log source management was created. You might want to disable the old log sources but not delete them until the retention policy for those log sources has expired in case you need the data. Then delete them. 



    ------------------------------
    Curt Wolfson
    ------------------------------

    Original Message