IBM Cloud Object Storage protocol configuration options
The IBM Cloud Object Storage protocol for IBM QRadar is an outbound or active protocol that collects logs that are contained in objects from IBM Cloud Object Storage buckets.
You must have either the Reader, Writer, or Manager role to access the buckets. For more information about user access roles and permissions, see Bucket permissions (https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-iam-bucket-permissions).
You must create service credentials that include hash-based message authentication code (HMAC) credentials. For more information about service credentials, see Using HMAC credentials (https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-uhc-hmac-credentials-main).
Parameter | Description |
---|---|
Protocol Configuration | IBM Cloud Object Storage |
Log Source Identifier | Type a unique name for the log source. The log source identifier does not need to reference a specific server, and it can be the same value as the Log Source Name. |
HMAC Access Key ID |
The Access Key ID that was generated when you configured the service credentials. |
HMAC Secret Access Key | The Secret Access Key that was generated when you configured the service credentials. |
Endpoint | The public endpoint that is stated in the bucket configuration page. |
Bucket Name | The name of the bucket that logs are stored in. |
Prefix |
The prefix filter value to limit collecting objects or file keys that begin with the prefix. To pull all files from the bucket, use a forward slash (/). Important: Changing the Prefix value clears the persisted file
marker. All files that match the new prefix are downloaded in the next pull. If the
Prefix file path is used to specify folders, you must not begin the file path
with a forward slash. For example, use folder1/folder2 instead.
|
Event Format | The following event formats are supported:
|
Use As A Gateway Log Source |
If you do not want to define a custom log source identifier for events, clear the checkbox. If you don't select Use As A Gateway Log Source and you don't configure the Log Source Identifier Pattern, QRadar receives events as unknown generic log sources. |
Log Source Identifier Pattern |
If you select Use As A Gateway Log Source, you can define a custom log source identifier. Use this option for events that are being processed and for log sources that are automatically discovered. If you don't configure the Log Source Identifier Pattern, QRadar receives events as unknown generic log sources. Use key-value pairs to define the custom log source identifier. The key is the identifier format string, which is the resulting source or origin value. The value is the associated regex pattern that is used to evaluate the current payload. This value also supports capture groups that can be used to further customize the key. Define multiple key-value pairs by typing each pattern on a new line. Multiple patterns are evaluated in the order that they are listed. When a match is found, a custom log source identifier is displayed. The following examples show multiple key-value pair functions:
|
Show Advanced Options | To configure the advanced options for event collection, set this option to On. |
File Pattern |
Type a regex for the file pattern that matches the files that you want to pull; for example, .*?\.json\.gz. This option is available when you set Show Advanced Options to On. |
Local Directory |
The local directory on the Target Event Collector. The directory must exist before the protocol attempts to retrieve events. This option is available when you set Show Advanced Options to on. |
Use Proxy |
If QRadar accesses the IBM Cloud Object Storage by using a proxy, enable Use Proxy. If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password parameters. If the proxy does not require authentication, leave the Proxy Username and Proxy Password fields blank. |
Recurrence |
Type a time interval to determine how frequently the protocol polls for new data. The time interval can include values in hours (H), minutes (M), or days (D). For example, 2H = 2 hours, 15M = 15 minutes, 30 = seconds. The minimum value is 60 (seconds) or 1M. |
EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The default is 5000. |