Configuring VMware Carbon Black App Control to communicate with QRadar®

Configure your Carbon Black App Control console to forward events to IBM QRadar in LEEF format.

Procedure

  1. Access the Carbon Black App Control console by entering the Carbon Black App Control server URL in your browser.
  2. Log in to the Carbon Black App Control console. You must have Administrator or Power® User privileges.
  3. From the navigation menu, select Administration > System Configuration.
  4. On the System Configuration page, click the Events tab.
  5. In the External Events Logging section, click Edit and then configure the following parameters.
    1. Type the IP address of the QRadar Event Collector in the Syslog address field.
    2. Type 514 in the Syslog port field.
  6. From the Syslog format list, select LEEF (Q1Labs).
  7. Select the Syslog Enabled checkbox and then click Update.