Configuring QRadar to forward data to other systems

Configure IBM® QRadar® to forward data to one or more vendor systems, such as ticketing or alerting systems.

You can also forward normalized data to other QRadar deployments. The target system that receives the data from QRadar is known as a forwarding destination. QRadar ensures that all forwarded data is unaltered.

Attention: Forwarded normalized data must match or exist in both QRadar deployments. Otherwise, the event might have an incorrect associated QID or remain unparsed. This data includes QIDS, custom log source types, custom properties, event ID, and event category expressions. To prevent synchronization issues, forward the events by using raw format.

To avoid compatibility problems when sending event and flow data, ensure that the deployment receives the data is the same version or higher than the deployment that sends the data by using the following workflow.

  1. Configure one or more forwarding destinations.
  2. To determine what data you want to forward, configure routing rules, custom rules, or both.
  3. Configure the routing options to apply to the data.

For example, you can configure all data from a specific event collector to forward to a specific ticketing system. You can also bypass correlation by removing the data that matches a routing rule.