For the current release of QRadar Log Manager, manual setup is required to parse certain App Control properties.

Mapping of App Control Event Fields to LEEF Attributes shows the regular expressions that must be used to parse each custom property.

To configure custom properties for QRadar Log Manager:

1. On the QRadar Log Manager, click the Admin tab and then click Custom Event Properties in the Data Sources/Events section. The Custom Event Properties window opens.
2. Click Add in the Custom Event Properties window menu bar. The Event Property Definition window opens.
3. In the Event Property Definition window, click the New Property radio button, and in the New Property text box, enter a LEEF Property name from Mapping of App Control Event Fields to LEEF Attributes (such as “Message”).
4. Choose App Control on the Log Source Type menu.
5. Enter the regular expression from Mapping of App Control Event Fields to LEEF Attributes corresponding to the property you chose (such as “msg=([^\t]+)[\t]*”).
6. Make sure that the Enabled box is checked, and then click the Save button.
7. Repeat the steps above for each App Control custom property (those with regular expressions) listed in Mapping of App Control Event Fields to LEEF Attributes.
8. On the Admin console, click Deploy Changes in the Admin menu bar.