Sending encrypted events to QRadar

Configure a log source in stand-alone deployments of WinCollect to send encrypted events to IBM® QRadar® with TLS syslog. TLS Syslog is only supported in managed WinCollect deployments in QRadar versions 7.3.1 and later.

Before you begin

In QRadar, configure a Universal DSM that uses the TLS Syslog protocol. For more information, see the IBM Security QRadar Log Sources User Guide.

The uDSM opens a port and provides the certificate that is necessary for communicating by using TLS. If you delete the uDSM, TLS communication stops.


  1. Use SSH to log in to QRadar as the root user.
  2. Copy the certificate, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- from /opt/qradar/conf/trusted_certificates/syslog-tls.cert to a temporary location. You will paste this certificate into the WinCollect Configuration Console.
  3. In the WinCollect Configuration Console, expand Destinations, and click Add Destination.
  4. In the New Destination Name box, add a name for the destination and then click OK.
  5. Select the new destination and enter the IP address of the target QRadar appliance in the Hostname field.
  6. Type 6514 in the Port field.
  7. Type the events per second (EPS) rate for your deployment in the Throttle field.
  8. Paste the certificate that you copied from QRadar into the Certificate field.
  9. Click Deploy Changes under Actions.