Sending TLS syslog data to the QRadar Console

You can send syslog log source information directly to the QRadar® on Cloud console or event processor by using the TLS syslog log source protocol. You do not need to use a data gateway.

Procedure

  1. Open a Customer Support ticket and request a TLS syslog certificate.

    Certificates that are provided by QRadar on Cloud are signed by a Certificate Authority (CA) and must be renewed every 90 days.

    When you receive confirmation in the support ticket, then you can configure the log source.
  2. On the Admin tab, go to the Apps section and click the QRadar Log Source Management icon.
  3. Click + New Log Source, then click Single Log Source.
  4. On the Select a Log Source Type page, select a log source type, and click Select Protocol Type.
  5. On the Select a Protocol Type page, select a protocol, and click Configure Log Source Parameters.
  6. Configure the common parameters for your log source.
    You can set the Target Event Collector to Console or Event Processor.
  7. Configure the protocol-specific parameters for your log source.
    1. Update the Log Source Identifier field.
    2. In the TLS Listen Port field, enter 6514.
      Port 6514 is the only port available for TLS syslog.
    3. In the Server Certificate Type field, select PKCS12 Certificate Chain and Password.
      The certificate is signed by Let's Encrypt and is renewed every 90 days.
    4. Enter the PKCS12 Server Certificate Path and PKCS12 Password values that are provided in the IBM® Support ticket.
  8. Click Save.
  9. On the Admin tab, click Deploy Changes.
  10. Configure the network device to send traffic to the QRadar on Cloud instance's fully qualified domain name (FQDN) that is prefixed with logs-.

    For example, you are configuring a firewall to send TLS syslog information to QRadar on Cloud. If your console address is console-######.qradar.ibmcloud.com, enter logs-console-######.qradar.ibmcloud.com as the destination in the firewall's syslog configuration.

  11. On the device that is sending syslog events to QRadar on Cloud, ensure that the CA (Let's Encrypt) is added to the truststore.
    You might need to add the CA root certificate when you configure some third-party log sources. Download the certificate from the CA site at https://letsencrypt.org/certificates/.