Adding the Disconnected Log Collector log source to QRadar
IBM®
Disconnected Log Collector can communicate with
IBM
QRadar® and forward events to
it only by using a Disconnected Log
Collector log source.
QRadar
7.4.0 and later includes the Disconnected Log
Collector protocol.
Procedure
| Parameter | Description |
|---|---|
| Log Source Name | Enter a name for the Disconnected Log Collector log source (for example, DLC TLS Protocol). |
| Log Source Type | Select Universal DSM. |
| Protocol Configuration | Select IBM QRadar DLC Protocol. |
| Log Source Identifier | Enter a unique identifier string (for example, the IP address of a computer where Disconnected Log Collector is installed). |
| Protocol | Select the communication protocol that is used to get events from Disconnected Log Collector. Choose TLS (default) or UDP. The setting must match the Disconnected Log Collector protocol setting. |
| Listen Port | Enter the QRadar server port to receive Disconnected Log Collector events. The default port is 32500. |
| Authentication by Common Name | The Disconnected Log Collector authentication method. If selected, authentication is by the Common Name (UUID) of the client certificate, which is passed by Disconnected Log Collector. If not selected, authentication is by the alias name of the certificate issuer, which is passed by Disconnected Log Collector. |
| CN/Alias Allowlist |
If authentication is by Common Name, enter the UUID of the Disconnected Log Collector instance as the Common Name. If there’s more than one instance, enter a comma-separated list of the UUIDs. If authentication is by the alias name, enter the alias name of the root CA that is in the truststore for the Disconnected Log Collector certificate. Tip: To see a list of aliases that are in the truststore, run the following
command:
|
| Key Store File Name | The file name of the server personal exchange format (PFX) certificate, which is located in the /opt/qradar/conf/key_stores directory on the Event Collector, Event Processor, or QRadar Console. This file receives events from the Disconnected Log Collector instance. |
| Key Store Password | The password for the server PFX certificate. |
| Check Revocation | Select the checkbox to check whether the certificate is revoked. |
| Trust Store File Path |
By default, the file path of the QRadar server truststore ( /etc/pki/ca-trust/extracted/java/cacerts). If the signer of the Disconnected Log
Collector client
uses an intermediate CA, it is recommended to use your own truststore instead of the QRadar server truststore. If
Authentication by Common Name is not selected, the alias for the client
certificate's intermediate CA must be included in the CN/Alias Allowlist. Use
the following commands to add the client certificate's CA and the intermediate CA into your own
keystore
file:
Note: The client_root_ca.crt file must be in X.509 format.
To create your own truststore, move the clientca keystore file to the /opt/qradar/conf/key_stores directory. Then, in Trust Store File Path, enter /opt/qradar/conf/key_stores/clientca. |
| Trust Store Password | The password for the server trust store (by default, changeit). |
| Target Event Collector | The Event Collector, Event Processor, or QRadar Console that receives events from the Disconnected Log Collector instance. |