IBM Streams 4.2

Operator QRadarSink

SPL standard and specialized toolkits > com.ibm.streams.cybersecurity 2.0.0 > com.ibm.streams.cybersecurity.adapters > QRadarSink

Primitive operator image not displayed. Problem loading file: ../../image/tk$com.ibm.streams.cybersecurity/op$com.ibm.streams.cybersecurity.adapters$QRadarSink.svg

This operator allows Streams applications to send syslog messages to a QRadar host. The messages are sent in LEEF format. For information on the LEEF format, see the following guide: Log Event Extended Format (LEEF)Guide.

Behaviour in a Consistent Region

This operator can participate in a consistent region. The operator cannot be the start of a consistent region.

Exceptions

The QRadarSink operator will return an exception in the following cases:
  • If one of the following parameters contains a pipe '|' character: vendor, product, productVersion, eventID
  • The host parameter cannot be an empty string
  • The host parameter is missing either the host or the port number
  • The attrIncludes and attrExcludes parameters are both defined (only one of these parameters can be specified at a time)

Example

use com.ibm.streams.cybersecurity.adapters::* ;

composite QRadarTest { 
graph
  (stream<rstring data, rstring src, rstring dest, rstring eventID>
    SrcStream) as Src = Beacon()
  {
    param
      initDelay : 10f ;
      iterations : 5u ;
    output
      SrcStream : data =(rstring) IterationCount(), src = "1.1.1.1", dest =
        "2.2.2.2", eventID = (rstring) (IterationCount() * 10ul) ;
  }
  
  () as QRadarOp = QRadarSink(SrcStream)
  {
    param
      host : getSubmissionTimeValue("host", "127.0.0.1") + ":" + getSubmissionTimeValue("port", "15001") ;
      vendor : "Company" ;
      product : "Product Name" ;
      productVersion : "1.0.0" ;
      eventIDAttr : eventID;                  
  }
}

Summary

Ports
This operator has 1 input port and 0 output port.
Windowing
This operator does not accept any windowing configurations.
Parameters
This operator supports 9 parameters.

Required: host

Optional: attrExcludes, attrIncludes, eventID, eventIDAttr, includeSyslogHeader, product, productVersion, vendor

Metrics
This operator does not report any metrics.

Properties

Implementation
Java

Input Ports

Ports (0)

Port that ingests tuples

Properties

Parameters

This operator supports 9 parameters.

Required: host

Optional: attrExcludes, attrIncludes, eventID, eventIDAttr, includeSyslogHeader, product, productVersion, vendor

attrExcludes

Specifies a list of attributes to exclude from the event payload. If this parameter is present, then any attributes not specified in this list will be included in the event payload. If neither this parameter nor the attrIncludes parameter are specified, then all input attributes are added to the event payload in the form of: <attribute_name>=<attribute_value>. This parameter cannot be specified if the attrIncludes parameter is specified.

Properties
attrIncludes

Specifies a list of attributes to include in the event payload. If this parameter is present, then any attributes not specified in this list will not be included in the event payload. If neither this parameter nor the attrIncludes parameter are specified, then all input attributes are added to the event payload in the form of: <attribute_name>=<attribute_value>. This parameter cannot be specified if the attrExcludes parameter is specified.

Properties
eventID

Specifies the value to use for the EventID field in the LEEF header. This parameter can be used to specify a constant eventID value to be used when sending log records to QRadar. To dynamically update the eventID based on attribute values, use the eventIDAttr parameter instead. The default value for this parameter is 0.

Properties
eventIDAttr

Specifies that attribute on the input port that contains the value to use for the EventID field in the LEEF header. This parameter can be used to dynamically set the eventID value for the current log record being sent to QRadar. To set a constant eventID for all log records, use the eventID parameter instead. If this parameter is not specified, then the eventID parameter is used instead.

Properties
host

Specifies the hostname (or IP address) and port number of the QRadar host. The expected format for this value is: <hostname>:<port>

Properties
includeSyslogHeader

Specifies whether to include the syslog header when sending the message. The default value is true.

Properties
product

Specifies the value to use for the Product name field in the LEEF header. The default value is IBM Streams.

Properties
productVersion

Specifies the value to use for the Product version field in the LEEF header. The default value is equal to the version of Streams that the application is running on (i.e. 4.2.0.0).

Properties
vendor

Specifies the value to use for the Vendor or manufacturer name field in the LEEF header. The default value is IBM.

Properties

Libraries

Operator class library
Library Path: ../../impl/java/bin, ../../impl/lib/*