IBM QRadar

 View Only
  • 1.  Disconnected log collector log source discovered under the event collector

    Posted Fri July 26, 2024 08:03 AM
      |   view attached

    Hi Team.

    I have installed and configured  DLC . 

    After that i had installed wincollect agnets and pointed to the DLC IP . The log source auto discovered with forwarded protocol. But  i can see target event collector is Not DLC.

    attached the log source screenshot for your reference. Please check and advice here,



    jo De

  • 2.  RE: Disconnected log collector log source discovered under the event collector

    IBM Champion
    Posted Fri July 26, 2024 09:30 AM

    Joe, from what you explain there are two logsources existing for your windows system. The manually configured windows server plus the same server automaticalyy detected. Please check ogsource identifier first (should be the same) and eventually use logsource parse ordering for changing priority between those two.

    [Karl] [Jaeger] [#ibmchampion]
    [QRadar Specialist]
    [Siegen] [Germany]

  • 3.  RE: Disconnected log collector log source discovered under the event collector

    Posted Fri July 26, 2024 11:38 AM

    Hi Karl,

    Thank you for your prompt resposne.

    I didnt create any log source manually. I have one log source(attached earlier) which auto discovered with target event collector.

    I am also attaching the disconnected log source configuration.

    My concern here is i pointed my wincollect configuration to the DLC but when its discovered its under the event collctor. Is this the way DLC work ? Please advice  since i m new to the DLC concept.



    Disconnected log source registeration

    jo De