Amazon AWS Application Load Balancer Access Logs

The IBM® QRadar® DSM for Amazon Application Load Balancer Access Logs collects access logs from Amazon AWS Application Load Balancers. The logs are collected in an Amazon S3 bucket by a Simple Queue Service (SQS) queue.

To integrate Amazon Application Load Balancer Access Logs with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download the most recent versions of the RPMs from the IBM support website (https://www.ibm.com/support).
    • Protocol Common RPM
    • Amazon AWS S3 REST API protocol RPM
    • DSM Common RPM
    • Amazon Application Load Balancer Access Logs DSM RPM
  2. Configure your Amazon Application Load Balancer Access Logs application to communicate with QRadar. For more information, see Amazon AWS Enable access logging (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging).
  3. Publish flow logs to an SQS bucket. For more information, see Publishing flow logs to an S3 bucket.
  4. Create the SQS queue that is used to receive ObjectCreated notifications, then configure S3 ObjectCreated notifications. For more information, see Create an SQS queue and configure S3 ObjectCreated notifications.
  5. Configure the security credentials for your AWS user account. For more information, see Configuring security credentials for your AWS user account.
  6. If QRadar does not automatically detect the log source, add an Amazon Application Load Balancer Access Logs log source on the QRadar Console.