Alibaba Cloud Simple Log Service protocol configuration options
The Alibaba Cloud Simple Log Service protocol for IBM QRadar is an outbound or active protocol that collects logs from a specific Log Store available in the Alibaba Cloud Log application.
- To access logs from the Log Store, create Log Store in the Log application. For more information, see Manage a Logstore.
- Create service credentials. For more information, see AccessKey Pair.
Parameter | Description |
---|---|
Protocol Configuration | Alibaba Cloud Simple Log Service |
Log Source Identifier |
Type a unique name for the log source. The log source identifier does not need to reference a specific server, and it can be the same value as the Log Source Name. |
Access Key ID | The Access Key ID is generated when you configure the service credentials. |
Secret Access Key | The Secret Access Key generates when you configure the service credentials. |
Log Store Public Endpoint | The Log Store Public Endpoint on the Alibaba Cloud Log Application section. For more information, see Regions and endpoints. |
Log Store Project Name | The Log Store Project Name on the Alibaba Cloud Log Application. |
Log Store Name | The Log Store Name on the Alibaba Cloud Log Application's Log Store section. |
Use Proxy |
If QRadar accesses Alibaba Cloud Simple Log Service by using a proxy, enable Use Proxy. If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password parameters. If the proxy does not require authentication, leave the Proxy Username and Proxy Password fields blank. |
Recurrence |
Type a time interval to determine how frequently the protocol polls for new data. The time interval can include values in hours (H), minutes (M), or days (D). For example, 2H = 2 hours, 15M = 15 minutes, 30 = seconds. The minimum value is 60 (seconds) or 1M. |
EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The default is 5000. |
Enable Advanced Options |
Select this checkbox to enable the following configuration options:
|
Allow Untrusted |
Enable this parameter for the protocol to accept self-signed and otherwise untrusted certificates that are located within the /opt/qradar/conf/trusted_certificates/ directory. If you disable the parameter, the scanner trusts only certificates that are signed by a trusted signer. The certificates must be in PEM or RED-encoded binary format and saved as a .crt or .cert file. Your workflow can override this setting. For more information about this process, see IBM Documentation. |
Override Workflow | Enable this option to customize the workflow. When you enable this option, the Workflow and Workflow Parameters parameters appear. |
Workflow |
The XML document that defines how the protocol instance collects events from the target API. For more information on the default workflow, see Alibaba Cloud Simple Log Service protocol workflow. |
Workflow Parameters |
The XML document that contains the parameter values used directly by the workflow. For more information on the default workflow parameters, see Alibaba Cloud Simple Log Service protocol workflow. |