Alibaba Cloud Simple Log Service protocol configuration options

The Alibaba Cloud Simple Log Service protocol for IBM QRadar is an outbound or active protocol that collects logs from a specific Log Store available in the Alibaba Cloud Log application.

Important: Before you configure the Alibaba Cloud Simple Log Service protocol, configure the user access roles and the service credentials to access the Alibaba Cloud Log application.
  • To access logs from the Log Store, create Log Store in the Log application. For more information, see Manage a Logstore.
  • Create service credentials. For more information, see AccessKey Pair.
Table 1. Alibaba Cloud Simple Log Service protocol common log source parameters
Parameter Description
Protocol Configuration Alibaba Cloud Simple Log Service
Log Source Identifier

Type a unique name for the log source. The log source identifier does not need to reference a specific server, and it can be the same value as the Log Source Name.

Access Key ID The Access Key ID is generated when you configure the service credentials.
Secret Access Key The Secret Access Key generates when you configure the service credentials.
Log Store Public Endpoint The Log Store Public Endpoint on the Alibaba Cloud Log Application section. For more information, see Regions and endpoints.
Log Store Project Name The Log Store Project Name on the Alibaba Cloud Log Application.
Log Store Name The Log Store Name on the Alibaba Cloud Log Application's Log Store section.
Use Proxy

If QRadar accesses Alibaba Cloud Simple Log Service by using a proxy, enable Use Proxy.

If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password parameters. If the proxy does not require authentication, leave the Proxy Username and Proxy Password fields blank.

Recurrence

Type a time interval to determine how frequently the protocol polls for new data. The time interval can include values in hours (H), minutes (M), or days (D). For example, 2H = 2 hours, 15M = 15 minutes, 30 = seconds.

The minimum value is 60 (seconds) or 1M.

EPS Throttle

The maximum number of events per second that QRadar ingests.

If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

The default is 5000.

Enable Advanced Options
Select this checkbox to enable the following configuration options:
  • Allow Untrusted
  • Override Workflow
Allow Untrusted

Enable this parameter for the protocol to accept self-signed and otherwise untrusted certificates that are located within the /opt/qradar/conf/trusted_certificates/ directory. If you disable the parameter, the scanner trusts only certificates that are signed by a trusted signer.

The certificates must be in PEM or RED-encoded binary format and saved as a .crt or .cert file.

Your workflow can override this setting. For more information about this process, see IBM Documentation.

Override Workflow Enable this option to customize the workflow. When you enable this option, the Workflow and Workflow Parameters parameters appear.
Workflow

The XML document that defines how the protocol instance collects events from the target API. For more information on the default workflow, see Alibaba Cloud Simple Log Service protocol workflow.

Workflow Parameters

The XML document that contains the parameter values used directly by the workflow. For more information on the default workflow parameters, see Alibaba Cloud Simple Log Service protocol workflow.