Create and Configure Log Source
Users can create custom log sources using the Qualys LEEF log source type to segregate the data. For more information, click Log Sources.
Perform the following steps to configure Log Source:
- After creating Log Sources, go to DSM Editor and search for Qualys LEEF log source type.
- Add Event ID and Event Category in the Properties tab specific to the log source for which data is pulled.
In DSM Editor in Qualys LEEF log source Properties tab, the user needs to create a new Event ID and Event Category like QualysMultiline as per the Log source created, add format string for both Event ID and Event Category, then save it.
If the user is upgrading from the Qualys app for QRadar 3.1.1, where Event ID and Event Category was configured for the required log source, user needs to repeat the Step-2 again after upgrade since the Qualys LEEF Log Source Type properties are replaced with new app on upgrading.
- Create the event mapper in the Event Mappings tab specific to the created log source.
- User must create an event mapper in the Event Mappings tab and choose the existing QID, that means QualysMultiline.
- Enter the same values in the Event ID and Event Category field as per the log source name, and then click Choose QID and search for QualysMultiline Information.
This way, the user-created event mapper inherits the configurations of the QualysMultiline event mapper that comes bundled with app installation.
Now, the user can pull the data into the desired Log Source by following the above steps and saving the same log source in the Qualys VM App settings.