After you add Splunk instances
to the app, you need to configure the app to forward the raw data from Splunk heavy forwarders to QRadar®.
Procedure
-
On the Splunk Instances tab, expand a Splunk instance to see the list of available
data source types. To narrow the list of Splunk instances to choose from, search for
instances based on location, description, or source types.
Defining source types is optional for Splunk instances, so when data sources don't
belong to a source type, they are listed in 'Not defined' in the list. The source type appears as a
link in the list and displays the related data sources.
-
Investigate the data sources of each Splunk instance to help determine which
sources you want to forward to QRadar.
- To forward data sources that are heavy forwarders, select them individually or select
Forward to QRadar.
The following conditions apply for heavy forwarders:
- You can select individual data source types or click Select All. The
Select All option does not select the "Not defined" source type. You must
analyze the "Not defined" source types in a separate window and then select which ones to forward to
QRadar.
- Within each source type or source name, you can select individual source names or click
Select All.
- You can click Clear before you click Add. After
you add a source type to the forwarding list, you can't clear it from selection. To clear source
types and data sources from the forwarding list, click Forward and then click
Remove in the confirmation window.
- All source types or data sources are selected. However, if new source types or data sources are
added later, they aren't forwarded. In this case, use the Forward All to
QRadar option instead.
Example: A heavy forwarder monitors
src_typ_a, src_typ_b, and
src_typ_c.
If you choose the Select All option,
Splunk forwards
src_typ_a, src_typ_b, and src_typ_c
to QRadar. But if you add
src_typ_d later, Splunk doesn't automatically forward it to
QRadar; you must add it by
using the app.
If you choose the Forward All to QRadar option, Splunk forwards
src_typ_a, src_typ_b, and src_typ_c
to QRadar, and if you add
src_typ_d later, Splunk automatically forwards it to QRadar.
-
Select the data sources that you want to forward, and then click
.
To clear your selections from the forwarding queue and start again, click the
X icon.
Certain conditions are outlined on the Select
Forwarders page. You must click to agree with these conditions before you can continue,
or you must remove the heavy forwarders from the forwarding list. After you make your choice to
agree or remove, click Step 2: Set Port for QRadar.
- On the Set Port for QRadar page, set the IP address and TCP port
number of the QRadar console
for each Splunk instance, and click
Set. Any Windows-based sources are
displayed, with configuration options to choose from.
Tips:
- In general, use port 514 to forward data to QRadar. To forward TCP multiline
events, use port 12468.
- Click Preview to see the content of the data source before you decide to
forward it. This view is useful for non-administrative users to copy the information and send to an
administrator to change the Splunk
instance. After you copy the data to a clipboard, modify the appropriate files
(
props.conf
, transforms.conf
, outputs.conf
).
- If QRadar App for Splunk Data
Forwarding detects a
source to be Windows-based, but it's not, you can still
forward the logs to port 514.
- For each Splunk source that
QRadar App for Splunk Data
Forwarding detects as a Windows source, select one of the following configuration
options.
- If you want to create a log source on the QRadar console, select
Automatically create Windows log source on QRadar.
- If you want to create and configure a log source as a gateway log source, select
Configure log source as a gateway (to identify logs coming in from various
sources).
- If you want to manually create a log source on QRadar, see Adding a log source.
- After you finish setting up the ports, click
Before Splunk can start forwarding the data to QRadar, the app must restart the
Splunk instance. Click
Finish, and then click Close after the Splunk instance restarts.
-
If you need to change the username or password for a Splunk instance, click
Edit. You cannot change the IP address or port number.
-
To stop Splunk from forwarding data to QRadar, go to the
Forwarded Data Sources tab, select the relevant Splunk instances, and click Stop
Forwarding.
Results
The data from the selected sources starts to appear in the Log Activity
tab as events in QRadar. You
can identify them by their Source IP.
Each instance in the Splunk Instances tab includes information about which
user created the instance, which users started or stopped data forwarding, and when the content for
the instance was last refreshed.