Sending encrypted events to QRadar
Configure a log source in stand-alone deployments of WinCollect to send encrypted events to IBM® QRadar® with TLS syslog. TLS Syslog is only supported in managed WinCollect deployments in QRadar versions 7.3.1 and later.
In QRadar, configure a Universal DSM that uses the TLS Syslog protocol. For more information, see the IBM Security QRadar Log Sources User Guide.
Before you begin
The uDSM opens a port and provides the certificate that is necessary for communicating by using TLS. If you delete the uDSM, TLS communication stops.
- Use SSH to log in to QRadar as the root user.
Copy the certificate, including
-----END CERTIFICATE-----from /opt/qradar/conf/trusted_certificates/syslog-tls.cert to a temporary location. You will paste this certificate into the WinCollect Configuration Console.
- In the WinCollect Configuration Console, expand Destinations, and click Add Destination.
- In the New Destination Name box, add a name for the destination and then click OK.
- Select the new destination and enter the IP address of the target QRadar appliance in the Hostname field.
- Type 6514 in the Port field.
- Type the events per second (EPS) rate for your deployment in the Throttle field.
- Paste the certificate that you copied from QRadar into the Certificate field.
- Click Deploy Changes under Actions.