Forwarding data from Splunk universal forwarders to QRadar
After you add Splunk instances to the app, you need to configure the app to forward the raw data from Splunk universal forwarders to QRadar®.
Before you begin
On the Splunk Instances tab, expand a Splunk instance to see the list of available
data source types. To narrow the list of Splunk instances to choose from, search for
instances based on location, description, or source types.
Defining source types is optional for Splunk instances, so when data sources don't belong to a source type, they are listed in 'Not defined' in the list. The source type appears as a link in the list and displays the related data sources.
- Investigate the data sources of each Splunk instance to help determine which sources you want to forward to QRadar.
- To forward data sources that are universal forwarders, select Forward All to QRadar.
Select the data sources that you want to forward, and then click
.To clear your selections from the forwarding queue and start again, click the X icon.
On the Set Port for QRadar page, set the IP address and TCP port number of
the QRadar console for each
Splunk instance, and click
Set. Any Windows-based sources are
displayed, with configuration options to choose from. Tips:
- In general, use port 514 to forward data to QRadar. To forward TCP multiline events, use port 12468.
- Click Preview to see the content of the data source before you decide to
forward it. This view is useful for non-administrative users to copy the information and send to an
administrator to change the Splunk
instance. After you copy the data to a clipboard, modify the appropriate files
- If QRadar App for Splunk Data Forwarding detects a source to be Windows-based, but it's not, you can still forward the logs to port 514.
- For each Splunk source that
QRadar App for Splunk Data
Forwarding detects as a Windows source, select one of the following configuration
- If you want to create a log source on the QRadar console, select Automatically create Windows log source on QRadar.
- If you want to create and configure a log source as a gateway log source, select Configure log source as a gateway (to identify logs coming in from various sources).
- If you want to manually create a log source on QRadar, see Adding a log source.
- After you finish setting up the ports, click Before Splunk can start forwarding the data to QRadar, the app must restart the Splunk instance. Click Finish, and then click Close after the Splunk instance restarts.
- Optional: If you need to change the username or password for a Splunk instance, click Edit. You cannot change the IP address or port number.
- Optional: To stop Splunk from forwarding data to QRadar, go to the Forwarded Data Sources tab, select the relevant Splunk instances, and click Stop Forwarding.
The data from the selected sources starts to appear in the Log Activity tab as events in QRadar. You can identify them by their Source IP.
Each instance in the Splunk Instances tab includes information about which user created the instance, which users started or stopped data forwarding, and when the content for the instance was last refreshed.