Log Source
When you install the application, it creates a new Log Source named QualysMultiline. Check if it is created. You can also create the custom log source for the Qualys application with the following steps.
Keep the configuration of the custom log source as follows:
- Qualys VM sends the data to the QRadar console. The user can use the application for distributed setup.
- From the console UI, go to Admin > Data Sources > Log Sources.
- Click Add.
- Add the details shown below to the form to Create QualysMultiline Log Source. All fields marked with an asterisk (*) are mandatory.
Make sure your Log Source Name and Log Source Identifier have same value.Property
Value
Log Source Name*
QualysMultiline (Customizable)
Log Source Description
QualysMultiline
Log Source Type*
Qualys LEEF
Protocol Configuration*
TCP Multiline Syslog
Log Source Identifier*
QualysMultiline (Customizable, but ensure your Log Source Name and Log Source Identifier have the same value.)
Listen Port
12468 (Customizable)
Aggregation Method*
Start/End Matching
Event Start Pattern*
[A-Z][a-z][a-z]\s\d\d\s\d\d:\d\d:\d\d\s
Event End Pattern*
qualys_event_ends
Event Formatter*
No Formatting
Show Advance Option*
Yes
Use Custom Source Name*
Unchecked
Use As a Gateway Log Source*
Checked
Flatten Multiline Events into Single Line
Checked
Retain Entire Lines DuringEvent Aggregation
Checked
Enabled
Checked
Credibility
5
Target Event Collector
<default/your choice>
Coalescing Events
Unchecked
Store Event Payload
Checked
Log Source Extension
QualysLEEFCustom_ext
- Click Save.
If you need to create this new Log Source manually, you need a full deployment. Go to Admin > Advance and click Deploy Full Configuration.