To forward events to IBM
QRadar, you must install a
SysFlow collector by using OpenShift® or Kubernetes
cluster.
About this task
The SysFlow installation uses the OpenShift or Kubernetes operator. The operator uses custom resources to manage the SysFlow agent and it's associated components. This installation deploys the operator pod and then applies custom resources. When the custom resources are created, the operator deploys SysFlow agent pods to all worker nodes in the cluster. During the installation process, OpenShift or Kubernetes cluster downloads
container images from the internet.
Procedure
-
Use SSH to log in as administrator to the master node of your OpenShift or Kubernetes cluster.
-
Download the SysFlow installation package and then extract the files.
- Go to the root folder sf-operator of the extracted installation
package, and then go to the /scripts/run directory.
- To run the script, type the following command:
- To deploy the operator, type the following command:
- To deploy the SysFlow agent, type the following command:
./applyCR.sh <QRadar_Console_IP_address > 514 tcp
What to do next
If QRadar does not
automatically detect the log source, add a SysFlow log source on the QRadar
Console.