Forwarded events

The IBM QRadar DLC Protocol brings forwarded events from one or more IBM Disconnected Log Collector instances into IBM QRadar.

Forwarded events from log source types that are autodetectable are autodetected as if the events were sent directly to QRadar. The protocol type for these forwarded events is Forwarded, regardless of which protocol the Disconnected Log Collector instance used to collect them. If events are sent by using Transport Layer Security over the Transmission Control Protocol (TLS over TCP), then the Log Source Identifier of the autodetected log source includes the UUID of the forwarding Disconnected Log Collector instance. For example, 192.0.2.0277f291f-dca9-4c59-978a-9d6deb0223b0. This format helps to ensure proper separation of event data.

Forwarded events from log source types that are not autodetectable by default require some configuration. You can create log sources for these events, singularly or in bulk, by using the QRadar Log Sources window, the Log Source Management app, or the Log Sources REST API. You must set the log sources' Protocol Configuration parameter to Forwarded for events that are forwarded by a Disconnected Log Collector instance. If the events are sent by using TLS over TCP, then the Log Source Identifier must include the UUID of the forwarding Disconnected Log Collector instance.

Alternatively, in QRadar 7.3.2, you can configure Log Source Autodetection for log source types that are not autodetectable by default. You can configure autodetection for any log source type (custom or IBM® provided) by using the DSM Editor Configuration tab.

For more information about adding log sources singularly, in bulk, or by using Log Source Autodetection, see the DSM Configuration Guide.