Syslog Redirect protocol overview
The Syslog Redirect protocol is a passive inbound protocol that is used as an alternative to the Syslog protocol. Use this protocol when you want QRadar to identify the specific device name that sent the events. QRadar can passively listen for Syslog events by using TCP or UDP on any unused port that you specify.
Parameter | Description |
---|---|
Protocol Configuration | Syslog Redirect |
Log Source Identifier | Enter a Log Source Identifier to use as a default. If the Log Source Identifier Regex cannot parse the Log Source Identifier from a particular payload by using the regex that is provided, the default is used. |
Log Source Identifier Regex | Enter a regex to parse the Log Source Identifier from the payload. |
Log Source Identifier Regex Format String |
Format string to combine capture groups from the Log Source Identifier Regex. For example: "$1" would use the first capture group. "$1$2" would concatenate capture groups 1 and 2. "$1 TEXT $2" would concatenate capture group 1, the literal "TEXT" and capture group 2. The resulting string is used as the new log source identifier. |
Listen Port | Enter any unused port and set your log source to send events to QRadar on that port. |
Protocol |
From the list, select either TCP or UDP. The Syslog Redirect protocol supports any number of UDP syslog connections, but restricts TCP connections to 2500. If the syslog stream has more than 2500 log sources, you must enter a second log source and listen port number. |
Perform DNS Lookup On Regex Match | Select the Perform DNS Lookup On Regex Match checkbox
to enable DNS functionality, which is based on the Log Source Identifier
parameter value. By default, the checkbox is not selected. |
Use Predictive Parsing |
If you enable this parameter, an algorithm extracts log source identifier patterns from events without running the regex for every event, which increases the parsing speed. Tip: In rare circumstances, the algorithm can make incorrect predictions. Enable
predictive parsing only for log source types that you expect to receive high event rates and require
faster parsing.
|
Payload Size |
The payload size is the length of data that is sent by the communicating endpoint. The default is 2048. The payload size must be an integer between 2048 and 32000. |
Enabled |
Select this checkbox to enable the log source. By default, the checkbox is selected. |
Credibility |
From the list, select the Credibility of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5. |