Configuring SysFlow agent to communicate with QRadar

To forward events to IBM QRadar, you must install a SysFlow collector by using OpenShift® or Kubernetes cluster.

About this task

The SysFlow installation uses the OpenShift or Kubernetes operator. The operator uses custom resources to manage the SysFlow agent and it's associated components. This installation deploys the operator pod and then applies custom resources. When the custom resources are created, the operator deploys SysFlow agent pods to all worker nodes in the cluster. During the installation process, OpenShift or Kubernetes cluster downloads container images from the internet.

Procedure

  1. Use SSH to log in as administrator to the master node of your OpenShift or Kubernetes cluster.
  2. Download the SysFlow installation package and then extract the files.
  3. Go to the root folder sf-operator of the extracted installation package, and then go to the /scripts/run directory.
  4. To run the script, type the following command:

    cd scripts/run/

  5. To deploy the operator, type the following command:

    ./deployOperator.sh

  6. To deploy the SysFlow agent, type the following command:

    ./applyCR.sh <QRadar_Console_IP_address > 514 tcp

What to do next

If QRadar does not automatically detect the log source, add a SysFlow log source on the QRadar Console.