Create the log source
Learn how to set up a Nozomi Networks universal log source in QRadar. This covers navigation, selection, and configuration of log source parameters, including type, name, and unique identifiers, sourced from the IBM QRadar GitHub repository.
- Open QRadar.
- Select .
-
In the Apps section, select QRadar Log Source
Management.
- In the pane on the left, select Select Log Source Type.
-
In the search field, search for and then select: Nozomi Networks
Universal.
-
In the bottom right corner, select Step 2: Select Protocol
Type.
The Select a protocol type page opens.
-
In the search field, search for and then select: Universal Cloud
REST API.
-
In the bottom right corner, select Step 3: Configure Log Source
Parameters.
The Configure the Log Source parameters page opens.
-
In the Name field, enter the name of the log source.
-
In the Extension field, enter:
NozomiNetworksUniversalCustom_ext
Note: If you do not add the extension, the QRadar system will automatically assign it.
-
In the bottom right corner, select Step 4: Configure Protocol
Parameters.
The Configure the protocol parameters page opens. -
In the Log Source Identifier field, enter an identifier.
Concatenate the Nozomi Networks endpoint with the
key_name
, followed by eitherAlert
orAsset
string:nozominetworkscom.customers.eu1.io_AKdf6123_Alert
The Log Source Identifier should be unique and should be similar to:${/host}_${/key_name}_Alert ${/host}_${/key_name}_Asset
host
is the Vantage endpoint like:nozominetworkscom.customers.eu1.xxx.nozominetworks.io
key_name
is the key_name generated in Vantage._Asset
and_Alert
are just strings.LogSourceIdentifier
examples:nozominetworkscom.customers.eu1.xxx.nozominetworks.io_AK023XXX_Alert
nozominetworkscom.customers.eu1.xxx.nozominetworks.io_AK023XXX_Asset
-
In the Workflow field, enter the value.
You can get the latest version from the IBM QRadar GitHub repository.Note: There are two types of workflow: Alerts and Assets.
-
In the Workflow Parameter Values field, enter the
value.
You can get the latest version from the IBM QRadar GitHub repository.Note: In the Workflow Parameter Values field you must add:
host
key_name
key_token
<?xml version="1.0" encoding="UTF-8" ?> <WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1"> <Value name="host" value="nozominetworkscom.customers.vantage.nozominetworks.io" /> <Value name="key_name" value="AK023xxx" /> <Value name="key_token" value="fha0ef3b5f1a36Y9c30e352562e429eexxxxx" /> </WorkflowParameterValues>
-
In the bottom right corner, select Step 5: Test Protocol
Parameters.
The Test Protocol Parameters page opens.
-
To make sure that the parameters of the log source configuration are correct,
select Start Test.
-
If the configuration is correct, a positive result will show.
-
If the configuration is not correct, a negative result will show.
-
If there is an authentication error, the Error 401 page
will show.
This might be because the
key_name
and/or thekey_token
are not valid (incorrect or expired). - Select Finish.