HTTP Receiver protocol configuration options

To collect events from devices that forward HTTP or HTTPS requests, configure a log source to use the HTTP Receiver protocol.

The HTTP Receiver protocol is an inbound, passive protocol. The HTTP Receiver acts as an HTTP server on the configured listening port and converts the request body of any received POST requests into events. It supports both HTTPS and HTTP requests.

The following table describes the protocol-specific parameters for the HTTP Receiver protocol:
Table 1. HTTP Receiver protocol parameters
Parameter Description
Protocol Configuration

From the list, select HTTP Receiver.

Log Source Identifier

The IP address, hostname, or any name to identify the device.

Must be unique for the log source type.

Communication Type Select HTTP, or HTTPs, or HTTPs and Client Authentication.
Client Certificate Path

If you select HTTPs and Client Authentication as the communication type, you must set the absolute path to the client certificate. You must copy the client certificate to the QRadar® Console or the Event Collector for the log source.

TLS version

The versions of TLS that can be used with this protocol. To use the most secure version, select the TLSv1.2 option.

When you select an option with multiple available versions, the HTTPS connection negotiates the highest version available by both the client and server.

Listen Port

The port that is used by QRadar to accept incoming HTTP Receiver events. The default port is 12469.

Important: Do not use port 514. Port 514 is used by the standard Syslog listener.
Message Pattern

By default, the entire HTTP POST is processed as a single event. To divide the POST into multiple single-line events, provide a regular expression to denote the start of each event.

Use As A Gateway Log Source

Select this option for the collected events to flow through the QRadar Traffic Analysis engine and for QRadar to automatically detect one or more log sources.

Max Payload Length (Byte) The maximum payload size of a single event in bytes. The event is split when its payload size exceeds this value.

The default value is 8192, and it must not be greater than 32767.

Max POST method Request Length (MB) The max size of a POST method request body in MB. If a POST request body size exceeds this value, an HTTP 413 status code is returned.

The default value is 5, and it must not be greater than 10.

EPS Throttle

The maximum number of events per second (EPS) that you do not want this protocol to exceed. The default is 5000.