RabbitMQ protocol configuration options

To receive messages from a Cisco AMP DSM, configure a log source to use the RabbitMQ protocol.

The RabbitMQ protocol is an active outbound protocol.

Important: The Cisco AMP integration does not support private cloud if the Server Name Indication (SNI) is required. Contact Cisco for more details.

The following table describes the protocol-specific parameters for the RabbitMQ protocol:

Table 1. RabbitMQ protocol parameters
Parameter Description
Protocol Name RabbitMQ
Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured RabbitMQ log source, ensure that you give each one a unique name.

Event Format The Event Format tells the protocol what type of events to expect. Officially supported products have specific options available for them. For unsupported products, you can use No Formatting or JSON.
IP or Hostname The IP address or hostname of the primary queue manager.
Port The port that is provided by the AMQP service when a queue is created or viewed.
Queue The queue or list of queues to monitor. A list of queues is specified with a comma-separated list.
Username The username that is used for authenticating with the RabbitMQ service.
Password The password that is used to authenticate with the RabbitMQ service.
EPS Throttle

The maximum number of events per second that QRadar ingests.

If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

The default is 5000.

Allow Untrusted Certificates

Enable this option when the endpoint is using a certificate that cannot be verified via the Certificate Chain. This would include a self-signed certificate, or one from a private CA that you do not want to import into your CA trust.

This option should not be used for endpoints with a certificate issued by a Public CA (SaaS Products, Public Cloud Infrastructure, and so on.)

The certificate must be downloaded in PEM or DER encoded binary format and then placed in the /opt/qradar/conf/trusted_certificates/ directory with a .cert or .crt file extension.