Syslog Redirect protocol overview

The Syslog Redirect protocol is a passive inbound protocol that is used as an alternative to the Syslog protocol. Use this protocol when you want QRadar® to identify the specific device name that sent the events. QRadar can passively listen for Syslog events by using TCP or UDP on any unused port that you specify.

The following table describes the protocol-specific parameters for the Syslog Redirect protocol:
Table 1. Syslog Redirect protocol parameters
Parameter Description
Protocol Configuration Syslog Redirect
Log Source Identifier Enter a Log Source Identifier to use as a default. If the Log Source Identifier Regex cannot parse the Log Source Identifier from a particular payload by using the regex that is provided, the default is used.
Log Source Identifier Regex Enter a regex to parse the Log Source Identifier from the payload.
Log Source Identifier Regex Format String

Format string to combine capture groups from the Log Source Identifier Regex.

For example:

"$1" would use the first capture group.

"$1$2" would concatenate capture groups 1 and 2.

"$1 TEXT $2" would concatenate capture group 1, the literal "TEXT" and capture group 2.

The resulting string is used as the new log source identifier.

Listen Port Enter any unused port and set your log source to send events to QRadar on that port.

From the list, select either TCP or UDP.

The Syslog Redirect protocol supports any number of UDP syslog connections, but restricts TCP connections to 2500. If the syslog stream has more than 2500 log sources, you must enter a second log source and listen port number.

Perform DNS Lookup On Regex Match Select the Perform DNS Lookup On Regex Match checkbox to enable DNS functionality, which is based on the Log Source Identifier parameter value.

By default, the checkbox is not selected.

Use Predictive Parsing

If you enable this parameter, an algorithm extracts log source identifier patterns from events without running the regex for every event, which increases the parsing speed.

Tip: In rare circumstances, the algorithm can make incorrect predictions. Enable predictive parsing only for log source types that you expect to receive high event rates and require faster parsing.

Select this checkbox to enable the log source. By default, the checkbox is selected.


From the list, select the Credibility of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.