Apache Kafka log source parameters for IBM Cloud Activity Tracker
If IBM QRadar does not automatically detect the log source, add an IBM Cloud® Activity Tracker log source on the QRadar Console by using the Apache Kafka protocol.
When you use the Apache Kafka protocol, there are specific parameters that you must configure.
The following table describes the parameters that require specific values to collect Apache Kafka events from IBM Cloud Activity Tracker:
Parameter | Value |
---|---|
Log Source type | IBM Cloud Activity Tracker |
Protocol Configuration | Apache Kafka |
Log Source Identifier | Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If more than one IBM Cloud Activity Tracker log source is configured, you might want to identify the first log source as ibmactivitytracker1 and the second log source as ibmactivitytracker2. |
Bootstrap Server List | The kafka_brokers_sasl field value from the JSON object text that you noted when you completed the Configuring IBM Cloud Activity Tracker to communicate with QRadar® procedure. |
Use SASL Authentication | Enabled |
SASL Username | The user field value from the JSON object text that you noted when you completed the Configuring IBM Cloud Activity Tracker to communicate with QRadar procedure. |
SASL Password | The password field value from the JSON object text that you noted when you completed the Configuring IBM Cloud Activity Tracker to communicate with QRadar procedure. |
For a complete list of Apache Kafka protocol parameters and their values, see Apache Kafka protocol configuration options.
Important: The IBM Cloud Event Streams
certificate must be renewed on a 90-day expiry cycle. For this reason, the certificate must be
updated in the QRadar
truststore for communication to continue. Choose one the following options:
- If you are a QRadar
on-premises user, to add the certificate to the
/opt/qradar/conf/trusted_certificates/ directory, you need to run the
getcert.sh command in the /opt/qradar/getcert.sh directory.
Run the following
commands:
cd /opt/qradar/conf/trusted_certificates/
/opt/qradar/bin/getcert.sh <Kafka URL>
The <Kafka URL> is similar to m4ydv39cxnxjm4pq.svc02.us-east.eventstreams.cloud.ibm.com.
- If you are a QRadar on Cloud user, contact IBM® support and open a support case to get the renewed certificate placed in the truststore.
For more information about IBM Event Streams certificates, see the IBM Event Streams documentation (https://ibm.github.io/event-streams/getting-started/connecting/).