Apache Kafka log source parameters for IBM Cloud Activity Tracker

If IBM QRadar does not automatically detect the log source, add an IBM Cloud® Activity Tracker log source on the QRadar Console by using the Apache Kafka protocol.

When you use the Apache Kafka protocol, there are specific parameters that you must configure.

The following table describes the parameters that require specific values to collect Apache Kafka events from IBM Cloud Activity Tracker:
Table 1. Apache Kafka log source parameters for the IBM Cloud Activity Tracker DSM
Parameter Value
Log Source type IBM Cloud Activity Tracker
Protocol Configuration Apache Kafka
Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If more than one IBM Cloud Activity Tracker log source is configured, you might want to identify the first log source as ibmactivitytracker1 and the second log source as ibmactivitytracker2.
Bootstrap Server List The kafka_brokers_sasl field value from the JSON object text that you noted when you completed the Configuring IBM Cloud Activity Tracker to communicate with QRadar® procedure.
Use SASL Authentication Enabled
SASL Username The user field value from the JSON object text that you noted when you completed the Configuring IBM Cloud Activity Tracker to communicate with QRadar procedure.
SASL Password The password field value from the JSON object text that you noted when you completed the Configuring IBM Cloud Activity Tracker to communicate with QRadar procedure.

For a complete list of Apache Kafka protocol parameters and their values, see Apache Kafka protocol configuration options.

Important: The IBM Cloud Event Streams certificate must be renewed on a 90-day expiry cycle. For this reason, the certificate must be updated in the QRadar truststore for communication to continue. Choose one the following options:
  • If you are a QRadar on-premises user, to add the certificate to the /opt/qradar/conf/trusted_certificates/ directory, you need to run the getcert.sh command in the /opt/qradar/getcert.sh directory. Run the following commands:
    cd /opt/qradar/conf/trusted_certificates/
    /opt/qradar/bin/getcert.sh <Kafka URL>

    The <Kafka URL> is similar to m4ydv39cxnxjm4pq.svc02.us-east.eventstreams.cloud.ibm.com.

  • If you are a QRadar on Cloud user, contact IBM® support and open a support case to get the renewed certificate placed in the truststore.

For more information about IBM Event Streams certificates, see the IBM Event Streams documentation (https://ibm.github.io/event-streams/getting-started/connecting/).