IBM QRadar Packet Capture

The IBM® QRadar® DSM for IBM QRadar Packet Capture collects events from an IBM Security Packet Capture device.

The following table describes the specifications for the IBM QRadar Packet Capture DSM:

Table 1. IBM QRadar Packet Capture DSM specifications
Specification	Value
Manufacturer	IBM
DSM name	IBM QRadar Packet Capture
RPM file name	DSM-IBMQRadarPacketCapture-`QRadar_version-build_number`.noarch.rpm
Supported versions	IBM QRadar Packet Capture V7.2.3 to V7.2.7 IBM QRadar Network Packet Capture V7.3.0
Protocol	Syslog
Event format	LEEF
Recorded event types	All events
Automatically discovered?	Yes
Includes identity?	No
Includes custom properties?	No
More information	IBM Docs (https://www.ibm.com/support/knowledgecenter/SS42VS_latest/com.ibm.qradar.doc/c_pcap_introduction.html)

To integrate IBM QRadar Packet Capture with QRadar, complete the following steps:

If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM Support Website onto your QRadar Console:
- DSMCommon RPM
- IBM QRadar Packet Capture DSM RPM
Configure your IBM QRadar Packet Capture device to send syslog events to QRadar.
If QRadar does not automatically detect the log source, add an IBM QRadar Packet Capture log source on the QRadar Console. The following table describes the parameters that require specific values to collect events from IBM QRadar Packet Capture:
Table 2. IBM QRadar Packet Capture log source parameters

Parameter Value

Log Source type IBM QRadar Packet Capture

Protocol Configuration Syslog

Table 2. IBM QRadar Packet Capture log source parameters
Parameter	Value
Log Source type	IBM QRadar Packet Capture
Protocol Configuration	Syslog

To verify that QRadar is configured correctly, review the following tables to see examples of parsed event messages.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

The following table shows a sample event message from IBM QRadar Packet Capture:

Table 3. IBM QRadar Packet Capture sample message
Event name	Low level category	Sample log message
User Added	User Account Added	`May 10 00:01:04 <Server>LEEF: 2.0\|IBM\|QRadar PacketCapture\|7.2.7.255-1G\|UserAdded\|cat=Admin msg=User<Username> has been added`

The following table shows a sample event message from IBM QRadar Network Packet Capture:

Event name Low level category Sample log message

Packet Capture Statistics

Information

Table 4. IBM QRadar Network Packet Capture sample message
Event name	Low level category	Sample log message
Packet Capture Statistics	Information	`<14>Mar 1 20:39:41 <Server> LEEF:2.0\|IBM\|Packet Capture\|7.3.0\|1\|^\|captured_packets=8844869^captured_packets_udp=4077106^captured_bytes_udp=379169082^total_packets=9090561^captured_bytes=2793801918^captured_bytes_tcp=2379568101^compression_ratio=27.4^captured_packets_tcp=4356387^oldest_packet=2017-03-01T20:39:41.915555490Z^total_bytes=2853950159`

<14>Mar 1 20:39:41 <Server> LEEF:2.0|IBM|Packet Capture|7.3.0|1|^|captured_packets=8844869^captured_packets_udp=4077106^captured_bytes_udp=379169082^total_packets=9090561^captured_bytes=2793801918^captured_bytes_tcp=2379568101^compression_ratio=27.4^captured_packets_tcp=4356387^oldest_packet=2017-03-01T20:39:41.915555490Z^total_bytes=2853950159