Configuring logging settings for IBM QRadar
IBM Security QRadar consolidates log source event data from multiple devices and applications that are distributed throughout a network. If you are using IBM Security QRadar, you can send the IBM Cloud Pak System Software log files to the QRadar server to be stored for future reference.
Before you begin
- You must be assigned the Hardware administration role with permission to Manage hardware resources (Full permission) to perform these steps.
- You completed the QRadar configuration steps in the following
procedure. If you are using multiple Platform System Managers,
the configuration must be completed for both the primary and secondary Platform System Managers.
- On the QRadar server, click the Admin tab, and click .
- In the window that is displayed, click Add and
enter values for the following fields:
- Log Source Name: Enter the host name of the Cloud Pak System Software server
- Log Source Type: Enter
Linux OS
. - Protocol Configuration: Enter
Syslog
. - Log Source Identifier: Enter the IP address
of the Cloud Pak System Software server.
To find the IP addresses of the primary and secondary Platform System Managers, click page and expand the System Management IP section. The Platform System Manager floating IP address (the same one used in the browser) is the IP address for the primary Platform System Manager.
- For all other selections, accept the default values.
About this task
Procedure
- Click .
- Expand Log Management.
- If you want to delete all log files on Platform System Manager that are older than 90 days, select the Maximum number of days to retain log files: 90 check box.
- If you want to forward the log files to a remote destination, such as a QRadar server, in the Destination address (IPv4 or FQDN) field, enter the IP address or the fully qualified domain name of the QRadar server.
- Select all log files, or one or more types of log files
from the available log categories. If you select the Security logs category, the audit log files are sent.
- Click Save and the log files are
sent to the QRadar server. When a new line is added to a log file, it is also sent to the QRadar server for future reference.
Results
Depending on the maximum volume that is allowed by the license, the large volume sent might exceed the standard QRadar license. If this situation arises, QRadar discards all messages that exceed the licensed volume. This process continues until all accumulated lines in all log files are sent.
Typically, a standard license can handle log messages in a steady state, where new lines are being sent as they are added. For larger volumes of log files, a larger QRadar license might be required.