Multiple log sources over TLS Syslog
You can configure multiple devices in your network to send encrypted Syslog events to a single TLS Syslog listen port. The TLS Syslog listener acts as a gateway, decrypts the event data, and feeds it within QRadar® to extra log sources configured with the Syslog protocol.
When using the TLS Syslog protocol, there are specific parameters that you must use.
Multiple devices within your network that support TLS-encrypted Syslog can send encrypted events via a TCP connection to the TLS Syslog listen port. These encrypted events are decrypted by the TLS Syslog (gateway) and are injected into the event pipeline. The decrypted events get routed to the appropriate receiver log sources or to the traffic analysis engine for autodiscovery.
Events are routed within QRadar to log sources with a Log Source Identifier value that matches the source value of an event. For Syslog events with an RFC3164-, or RFC5425-, or RFC5424-compliant Syslog header, the source value is the IP address or the host name from the header. For events that do not have a compliant header, the source value is the IP address of the device that sent the Syslog event.
On QRadar, you can configure multiple log sources with the Syslog protocol to receive encrypted events that are sent to a single TLS Syslog listen port from multiple devices.
To add a log source over TLS Syslog, go to Adding a log source.