Disconnected Log Collectors

Use the QRadar® Log Source Management app to register or import Disconnected Log Collector instances that are installed in your environment. You can configure your log sources in the app, which is much faster than by using the Disconnected Log Collector's JSON config file.

IBM® Disconnected Log Collector sends events to a QRadar deployment by using the User Datagram Protocol (UDP) or by using Transport Layer Security over the Transmission Control Protocol (TLS over TCP). When Disconnected Log Collector uses TLS over TCP, it buffers incoming events during times when it’s disconnected from QRadar and sends them when the connection is restored. Buffer capacity can be configured, and is limited by the available memory and disk space.