Log Source

This section helps you to create or edit the log source.

Qualys FIM JSON

When you install the FIM application, it creates a new Log Source named QualysFimMultiline.

Check if the log source is created and correctly configured after the installation. If the log source is not created, the following error is displayed.

Error Source Display when log source is not available

Create or Edit the custom log source for the Qualys application using the following steps:

 Keep the configuration of the custom log source as mentioned here.

  1. Qualys FIM sends the data to the QRadar console only. The user is not able to use the application for distributed setup.
  2. Go to Admin > Data Sources > Log Sources on your console UI.
  3. click Add.
  4. Add the details to the form to Create QualysFimIncidents Log Source.

     All fields marked with an asterisk (*) are mandatory. Ensure your Log Source Name and Log Source Identifier have the same value.

    Property

    Value

    Log Source Name*

    QualysFimIncidents(Customizable)

    Log Source Description

    QualysFimIncidents

    Log Source Type*

    Qualys FIM INCIDENTS

    Protocol Configuration*

    TCP Multiline Syslog

    Log Source Identifier*

    QualysFimIncidents (Customizable, but same as Log Source Name)

    Listen Port

    12400 (Customizable)

    Aggregation Method*

    Start/End Matching

    Event Start Pattern*

    [A-Z][a-z][a-z]\s\d\d\s\d\d:\d\d:\d\d\s

    Event End Pattern*

    qualys_event_ends

    Event Formatter*

    No Formatting

    Show Advance Option*

    Yes

    Use Custom Source Name*

    Unchecked

    Use As A Gateway Log Source*

    Checked

    Flatten Multiline Events Into Single Line*

    Checked

    Retain Entire Lines During Event Aggregation*

    Checked

    Enabled*

    Checked

    Credibility

    5

    Target Event Collector

    <default/your choice>

    Coalescing Events*

    Unchecked

    Store Event Payload*

    Checked

    Log Source Extension*

    QualysFIMINCIDENTCustom_ext

     If you see the fields (listed below) that are not mandatory for the Qualys FIM application's log source while editing or creating the custom Qualys log source, enable and disable the Use Custom Source Name option. As a result, QRadar removes those fields from mandatory fields.

    Enable Custom Source

With the above steps, you can create the required log source if it does not exist or edit the existing one if its values are not configured as required. Then, go to Admin > Advance and click Deploy Full Configuration.

Qualys FIM INCIDENTS

When you install the application, it creates a new Log Source named QualysFimIncidents.

Check if the log source is created and correctly configured after the installation. If the log source is not created, the following error is displayed.

Error Displayed when Log Source is not created

Create or Edit the custom log source for the Qualys application using the following steps:

 Keep the configuration of the custom log source as mentioned here.

  1. Qualys FIM sends the data to the QRadar console only.

    The user is not able to use the application for distributed setup.

  2. Go to Admin > Data Sources > Log Sources on your console UI 

  3. Click Add.

  4. Add the details to the form to Create a QualysFimMultiline Log Source.

     All fields marked with an asterisk (*) are mandatory. Ensure your Log Source Name and Log Source Identifier have the same value.

    Property

    Value

    Log Source Name*

    QualysFimMultiline (Customizable)

    Log Source Description

    QualysFimMultiline

    Log Source Type*

    Qualys FIM JSON

    Protocol Configuration*

    TCP Multiline Syslog

    Log Source Identifier*

    QualysFimMultiline (Customizable, but same as Log Source Name)

    Listen Port

    12400 (Customizable)

    Aggregation Method*

    Start/End Matching

    Event Start Pattern*

    [A-Z][a-z][a-z]\s\d\d\s\d\d:\d\d:\d\d\s

    Event End Pattern*

    qualys_event_ends

    Event Formatter*

    No Formatting

    Show Advance Option*

    Yes

    Use Custom Source Name*

    Unchecked

    Use As A Gateway Log Source*

    Checked

    Flatten Multiline Events Into Single Line*

    Checked

    Retain Entire Lines During Event Aggregation*

    Checked

    Enabled*

    Checked

    Credibility

    5

    Target Event Collector

    <default/your choice>

    Coalescing Events*

    Unchecked

    Store Event Payload*

    Checked

    Log Source Extension*

    QualysFIMJSONCustom_ext

     If you see the fields (listed below) that are not mandatory for the Qualys FIM application's log source while editing or creating the custom Qualys log source, enable and disable the Use Custom Source Name option. As a result, QRadar removes those fields from mandatory fields.

    Custom Source FIM Incidents

  5. Click Save once you confirm the specified configurations are added or verified correctly.

With the above steps, you may create the required log source if it does not exist or edit the existing one if its values are not configured as needed. Later, go to Admin > Advanced and click Deploy Full Configuration.

Related Topic

Custom Event Properties

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.