Topic
  • 2 replies
  • Latest Post - ‏2016-10-18T20:20:35Z by JonathanPechtaIBM
ashoks_ibm
ashoks_ibm
1 Post

Pinned topic Logging in QRadar using REST API

‏2016-10-13T11:25:06Z | api c# logs

I have a requirement to send custom logs from my .Net application to qradar. What are the options for it. Does qradar REST API support the logging feature?

  • DietgerBahn
    DietgerBahn
    2 Posts

    Re: Logging in QRadar using REST API

    ‏2016-10-15T23:23:00Z  

    Hello Ashok,

    ingesting logs via the RESTful API is simply not possible to date. Logs have to go through and processed by the Event Pipeline and Magistrate by architecture. However, non QRadar supported log sources - as one possible option - could be gathered by the SDI (Security Directory Integrator) for example. SDI then is capable to generating syslog formatted logs and forward those to a QRadar Event Collector/Processor.

    HTH and regards,
    Dietger Bahn

  • JonathanPechtaIBM
    JonathanPechtaIBM
    44 Posts

    Re: Logging in QRadar using REST API

    ‏2016-10-18T20:20:35Z  

    QRadar has a number of protocols that can be used to listen for or active retrieve event data from applications, appliances, databases, etc. The most common methods of retrieving event data is Syslog, Log File protocol (flat file), SMB (Samba), JDBC, or many more. If you do not offer a streaming option like Syslog, you can write data to a flat file and QRadar can go reach out and retrieve the data using FTP, SCP, or SFTP.

    Alternately, if you have a Linux system that you application is running on you could use Tail2Syslog to forward this data if it is written to a log file.

     

    There are a lot of ways of getting data in to the QRadar event pipeline. If you have questions about getting data in to QRadar, you should ask in our new forums: http://ibm.biz/qradarforums.

     

     

    -----

    This month we start our migration to our new dW Answers forums. This is where all future questions will be asked/answered. To use the new forums, you just need to navigate to the new forums and sign-in using your existing forum credentials for IBM. All questions asked must use the tag qradar, and can use up to 8 tags in total. To try using the new forum, see https://ibm.biz/qradarforums. This shortened URL filters newest posts that have the tag qradar.

    For a video on using the new dW Answers forums with QRadar, see our YouTube overview video: https://youtu.be/6YUhyOe4lb8