Adding the Disconnected Log Collector log source to QRadar
IBM® Disconnected Log Collector can communicate with IBM QRadar® and forward events to it only by using a Disconnected Log Collector log source. QRadar 7.4.0 and later includes the Disconnected Log Collector protocol.
- If you are using QRadar version 7.3.3 or earlier,
and if your QRadar Console
isn’t configured to receive automatic updates, download the Disconnected Log
Collector protocol from IBM Fix Central
- Log in to the QRadar Console as the root user.
- Copy the protocol RPM file to the /tmp directory or your preferred location.
- Go to the directory, and type the following command:
yum -y install <rpm_filename>
- Log in to QRadar as an administrator.
- Go to the Admin tab.
. QRadar continues to collect events when you deploy the full configuration.
- In the Data Sources section, click Log Sources.
- Click Add, and then configure the following protocol-specific parameters for Disconnected Log Collector:
|Log Source Name||Enter a name for the Disconnected Log Collector log source (for example, DLC TLS Protocol).|
|Log Source Type||Select Universal DSM.|
|Protocol Configuration||Select IBM QRadar DLC Protocol.|
|Log Source Identifier||Enter a unique identifier string (for example, the IP address of a computer where Disconnected Log Collector is installed).|
|Protocol||Select the communication protocol that is used to get events from Disconnected Log Collector. Choose TLS (default) or UDP. The setting must match the Disconnected Log Collector protocol setting.|
|Listen Port||Enter the QRadar server port to receive Disconnected Log Collector events. The default port is 32500.|
|Authentication by Common Name||The Disconnected Log Collector authentication method. If selected, authentication is by the Common Name (UUID) of the client certificate, which is passed by Disconnected Log Collector. If not selected, authentication is by the alias name of the certificate issuer, which is passed by Disconnected Log Collector.|
If authentication is by Common Name, enter the UUID of the Disconnected Log Collector instance as the Common Name. If there’s more than one instance, enter a comma-separated list of the UUIDs.
If authentication is by the alias name, enter the alias name of the root CA that is in the truststore for the Disconnected Log Collector certificate.
Tip: To see a list of aliases that are in the truststore, run the following command:
|Key Store File Name||The file name of the server personal exchange format (PFX) certificate, which is located in the /opt/qradar/conf/key_stores directory on the Event Collector, Event Processor, or QRadar Console. This file receives events from the Disconnected Log Collector instance.|
|Key Store Password||The password for the server PFX certificate.|
|Check Revocation||Select the checkbox to check whether the certificate is revoked.|
|Trust Store File Path||
By default, the file path of the QRadar server truststore ( /etc/pki/ca-trust/extracted/java/cacerts).
If the signer of the Disconnected Log Collector client uses an intermediate CA, it is recommended to use your own truststore instead of the QRadar server truststore. If Authentication by Common Name is not selected, the alias for the client certificate's intermediate CA must be included in the CN/Alias Allowlist. Use the following commands to add the client certificate's CA and the intermediate CA into your own keystore file:
Note: The client_root_ca.crt file must be in X.509 format.
To create your own truststore, move the clientca keystore file to the /opt/qradar/conf/key_stores directory. Then, in Trust Store File Path, enter /opt/qradar/conf/key_stores/clientca.
|Trust Store Password||The password for the server trust store (by default, changeit).|
|Target Event Collector||The Event Collector, Event Processor, or QRadar Console that receives events from the Disconnected Log Collector instance.|
- Click Save.
- In the Admin settings, click Deploy Changes.