Configuring IBM QRadar Packet Capture to communicate with QRadar

To collect IBM® QRadar® Packet Capture events, you must configure event forwarding to a remote syslog server.


  1. Using SSH, log in to your IBM QRadar Packet Capture device as the root user.
  2. Choose one of the following options to enable syslog.
    1. Option 1: Open the /etc/rsyslog.conf file in a text editor such as vi:
      vi /etc/rsyslog.conf

      Then add the following line at the end of the file:

      *.* @@<QRadar Event collector IP>:514
    2. Option 2: Create the <filename>.conf file in the /etc/rsyslog.d/ directory, and then add the following line to the file that you created:
      *.* @@<QRadar Event collector IP>:514
  3. Restart the Syslog service by typing the following command:
    service rsyslog restart

    The message logs are sent to the QRadar Event Collector and local copies are saved.

    Note: QRadar parses only LEEF events for IBM QRadar Packet Capture. On the Log Activity tab in QRadar, the Event Name displays as IBM QRadar Packet Capture Message and the Low Level Category displays as Stored for all other events.

What to do next

To verify that LEEF events are being logged on your IBM QRadar Packet Capture device, inspect /var/log/messages.

tail /var/log/messages