Before you can add a log source that uses the Amazon Web Services protocol in IBM®
QRadar®, you must create a data
stream and then create a real-time log configuration on the AWS Management Console.
Procedure
-
On the AWS Management console, create a data stream. For more information, see Creating a stream via the AWS Management Console
(https://docs.aws.amazon.com/streams/latest/dev/how-do-i-create-a-stream.html)
- On the AWS Management console, create real-time logs. For more information, see Real-time logs
(https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html)
-
Create a real-time log configuration on the AWS Management
Console
(https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html#create-real-time-log-config.html)
Important: Real-time log configuration requires all 40 fields to be configured. For more
information, see
Understanding real-time log configurations
(https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html#understand-real-time-log-config.html).
The
position/index number for the following fields must be as documented in the
Amazon AWS Fields documentation (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html#understand-real-time-log-config-fields.html):
- timestamp
- c-ip
- sc-status
- x-edge
- x-edge-result-type
- c-port
- x-edge-detailed-result-type
For example, the
c-ip position, is in the 2 position and the
x-edge-detailed-result-type is in the 33rd position.
- Add an Amazon CloudFront log source in QRadar. Adding an Amazon CloudFront log source by using the Amazon Web Services protocol an
Kinesis Data Streams.