POST /config/event_sources/log_source_management/log_sources

Creates a new log source. A log source contains the following fields:

  • id - Number - The ID of the log source.
  • name - String - The unique name of the log source.
  • description - String - An optional description of the log source.
  • type_id - Number - The type of the log source. Must correspond to an existing log source type. See the Log Source Type API (/api/config/event_sources/log_source_management/log_source_types/).
  • protocol_type_id - Number - The type of protocol that is used by the log source. Must correspond to an existing protocol type. See the Protocol Type API (/api/config/event_sources/log_source_management/protocol_types/). Individual log source types can support only a subset of all available protocol types, as indicated by the protocol_types field of the log source type structure.
  • protocol_parameters - Array - The set of protocol parameters. This set is a collection of ProtocolParameter structures. The structure of the parameters is defined by the protocol type that is used by the log source. See the Protocol Type API (/api/config/event_sources/log_source_management/protocol_types/).
  • enabled - Boolean - If the log source is enabled, the condition is set to 'true'; otherwise, the condition is set to 'false'.
  • gateway - Boolean - If the log source is configured as a gateway, the condition is set to 'true'; otherwise, the condition is set to 'false'. A gateway log source is a stand-alone protocol configuration. The log source receives no events itself, and serves as a host for a protocol configuration that retrieves event data to feed other log sources. It acts as a "gateway" for events from multiple systems to enter the event pipeline.
  • internal - Boolean - If the log source is internal (when the log source type is defined as internal), the condition is set to 'true'.
  • credibility - Short - On a scale of 0 - 10 inclusive, the amount of credibility that the QRadar administrator places on this log source.
  • target_event_collector_id - Number - The ID of the event collector where the log source sends its data. The ID must correspond to an existing event collector. See the Event Collector API (/api/config/event_sources/event_collectors/).
  • disconnected_log_collector_id - Number - The ID of the disconnected log collector where this log source will run. The ID must correspond to an existing disconnected log collector. See the Disconnected Log Collector API (/api/config/event_sources/disconnected_log_collectors/).
  • coalesce_events - Boolean - If events collected by this log source are coalesced based on common properties, the condition is set to 'true'. If each individual event is stored, then the condition is set to 'false'.
  • store_event_payload - Boolean - If the payloads of events that are collected by this log source are stored, the condition is set to 'true'. If only the normalized event records are stored, then the condition is set to 'false'.
  • log_source_extension_id - Long - The log source extension associated with the log source. The ID must correspond to an existing log source extension or be set to 'null'. See the Log Source Extension API (/api/config/event_sources/log_source_management/log_source_extensions/)
  • language_id - Integer - The language of the events that are being processed by this log source. Must correspond to an existing log source language. See the Log Source Language API (/api/config/event_sources/log_source_management/log_source_languages/). Individual log source types can support only a subset of all available log source languages, as indicated by the supported_language_ids field of the log source type structure
  • group_ids - Array - The set of log source group IDs this log source is a member of. Each ID must correspond to an existing log source group. See the Log Source Group API (/api/config/event_sources/log_source_management/log_source_groups/).
  • requires_deploy Boolean - Set to 'true' if you need to deploy changes to enable the log source for use; otherwise, set to 'false' if the log source is already active.
  • status - Object - The status of the log source.
  • auto_discovered - Boolean - If the log source was auto-discovered, the condition is set to 'true'. If the log source was created by a user, then the condition is set to 'false'.
  • average_eps - Number - The average events per second (EPS) rate of the log source over the last 60 seconds.
  • creation_date - Number - The creation date/time of the log source (in milliseconds since epoch).
  • modified_date - Number - The last modified date/time of the log source (in milliseconds since epoch).
  • last_event_time - Number - The date/time of the last event received by the log source (in milliseconds since epoch).
  • wincollect_internal_destination_id - Long - The internal WinCollect destination for this log source, if applicable. Log sources without an associated WinCollect agent have a null value. Must correspond to an existing WinCollect destination. See the WinCollect Destination API (/api/config/event_sources/wincollect/wincollect_destinations/).
  • wincollect_external_destination_ids - Array<Long> - The set of external WinCollect destinations for this log source, if applicable. Log Sources without an associated WinCollect agent have a null value. Each ID must correspond to an existing WinCollect destination. See the WinCollect Destination API (/api/config/event_sources/wincollect/wincollect_destinations/).
  • legacy_bulk_group_name - Array<Long> - The name of the legacy bulk group that this log source belongs to. If the field is null, then the log source is not part of any legacy bulk groups.
  • sending_ip - String - The ip of the system which the log source is associated to, or fed by.
  • parsing_order - Integer - The order in which log sources will parse if multiple exists with a common identifier.
A protocol parameter contains the following fields:
  • id - Number - The ID of the protocol parameter. The ID matches one of the ProtocolParameterType objects defined by the Protocol Type used by the log source. See the Protocol Type API (/api/config/event_sources/log_source_management/protocol_types/).
  • name - The name of the protocol parameter. The name matches one of the ProtocolParameterType objects defined by the Protocol Type used by the log source. See the Protocol Type API (/api/config/event_sources/log_source_management/protocol_types/).
  • value - String - The value of the parameter.
A status parameter contains the following fields:
  • status - Enumeration - The status of the log source. Possible values are N/A, SUCCESS, WARN, ERROR, DISABLED.
  • messages - Array An array of LogSourceStatusMessage structures.
  • last_updated - String - The time of the last status update (in milliseconds since epoch).
A 'status' message parameter contains the following fields:
  • severity - Enumeration - The severity of the status message. Possible values are INFO, WARN, ERROR.
  • text - The localized text of the status message.
Table 1. POST /config/event_sources/log_source_management/log_sources resource details
MIME Type

application/json

Table 2. POST /config/event_sources/log_source_management/log_sources request parameter details
Parameter Type Optionality Data Type MIME Type Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.
Table 3. POST /config/event_sources/log_source_management/log_sources request body details
Parameter Data Type MIME Type Description Sample

log_source_data

Object

application/json

The log source to create.

{ "coalesce_events": true, "credibility": 42, "deleted": true, "description": "String", "disconnected_log_collector_id": 42, "enabled": true, "gateway": true, "group_ids": [ 42 ], "id": 42, "language_id": 42, "legacy_bulk_group_name": "String", "log_source_extension_id": 42, "name": "String", "parsing_order": 42, "protocol_parameters": [ { "id": 42, "name": "String", "value": "String" } ], "protocol_type_id": 42, "requires_deploy": true, "sending_ip": "String", "store_event_payload": true, "target_event_collector_id": 42, "type_id": 42, "wincollect_external_destination_ids": [ 42 ], "wincollect_internal_destination_id": 42 }
Table 4. POST /config/event_sources/log_source_management/log_sources response codes
HTTP Response Code Unique Code Description

201

The log source was created successfully.

403

1000

The endpoint cannot be used by users associated with a tenant.

409

1001

The 'name' parameter must be unique.

409

1002

The combination of 'type_id','protocol_type_id' and 'identifier' (from 'protocol_parameters') must be unique.

422

1003

The 'name' parameter is required.

422

1004

The 'name' parameter must not exceed 255 characters.

422

1005

The 'description' parameter must not exceed 255 characters.

422

1006

null

422

1007

The 'type_id' parameter does not match any of the available log source types.

422

1008

The 'type_id' parameter cannot correspond to an internal log source type.

422

1009

null

422

1010

The 'protocol_type_id' parameter does not match any of the available protocol types.

422

1011

The combination of 'type_id' and 'protocol_type_id' is not supported.

422

1012

The protocol parameter is invalid.

422

1013

The protocol parameter id or name is invalid.

422

1014

The protocol parameter value format is incorrect.

422

1015

The protocol parameter is required but the value is missing.

422

1016

The protocol parameter value does not match one of the allowed values.

422

1017

The protocol parameter value is too short.

422

1018

The protocol parameter value is too long.

422

1019

The protocol parameter value is too big.

422

1020

The protocol parameter value is too small.

422

1021

The protocol parameter value does not match the allowed pattern.

422

1022

The protocol parameter is not a supported encoding.

422

1023

At least one protocol parameter from the group must be set.

422

1024

The 'credibility' parameter must be a value 0 - 10 inclusive.

422

1025

The 'target_event_collector_id' parameter does not match any of the available event collectors.

422

1026

The 'log_source_extension_id' parameter does not match any of the available log source extensions.

422

1027

The 'language_id' parameter does not match any of the available log source languages.

422

1028

The 'language_id' parameter does not match a supported language for the selected log source type.

422

1029

The 'group_ids' parameter contains one or more group IDs that cannot be found.

422

1031

The 'group_ids' parameter contains unassignable groups (IDs 0 or 1).

422

1032

The 'wincollect_internal_destination_id' parameter does not match any available internal WinCollect destination.

422

1033

The 'wincollect_external_destination_ids' parameter contains one or more IDs that do not match an available external WinCollect destination.

422

1034

At least one internal or external WinCollect destination must be provided for log sources that are associated with a WinCollect agent.

422

1035

This method is not supported for this log source because it is part of a bulk group.

422

1036

This 'legacy_bulk_group_name' parameter can only be set to null.

422

1037

A log source using this protocol cannot be used as a gateway.

422

1038

The 'requires_deploy' parameter can only be set for log sources with protocol_type_id=0 (Syslog).

422

1039

The 'sending_ip' parameter is not a valid IP address.

422

1040

The 'disconnected_log_collector_id' parameter does not match any of the available collectors.

422

1041

The log source can have a value for 'target_event_collector_id' or 'disconnected_log_collector_id`, but not both.

422

1042

A log source associated with a Disconnected Log Collector must have its 'identifier' end with the collector's UUID.

500

1100

An error occurred during the attempt to create the log source.

Response Description

The newly created log source.

Response Sample


{
    "auto_discovered": true,
    "average_eps": 42,
    "coalesce_events": true,
    "creation_date": 42,
    "credibility": 42,
    "description": "String",
    "disconnected_log_collector_id": 42,
    "enabled": true,
    "gateway": true,
    "group_ids": [
        42
    ],
    "id": 42,
    "internal": true,
    "language_id": 42,
    "last_event_time": 42,
    "legacy_bulk_group_name": "String",
    "log_source_extension_id": 42,
    "modified_date": 42,
    "name": "String",
    "parsing_order": 42,
    "protocol_parameters": [
        {
            "id": 42,
            "name": "String",
            "value": "String"
        }
    ],
    "protocol_type_id": 42,
    "requires_deploy": true,
    "sending_ip": "String",
    "status": {
        "last_updated": 42,
        "messages": [
            {
                "severity": "String",
                "text": "String",
                "timestamp": 42
            }
        ],
        "status": "String"
    },
    "store_event_payload": true,
    "target_event_collector_id": 42,
    "type_id": 42,
    "wincollect_external_destination_ids": [
        42
    ],
    "wincollect_internal_destination_id": 42
}