To collect IBM®
QRadar® Network Packet Capture events, you must configure a
remote Syslog server for your IBM QRadar Network Packet
Capture appliance.
Procedure
-
Log in to your IBM QRadar Network Packet Capture appliance as administrator.
-
Click Admin.
-
In the REMOTE SYSLOG SETUP pane, enable system
logging.
-
Enable the UPD or TCP protocol, depending on your
transfer settings.
-
In the Remote Syslog Server Port field, type the port number that you
want to use to send remote syslog events. The default port number for remote syslog is 514.
-
In the Remote Syslog Server field, type the IP address for your QRadar
Event Collector to which you
want to send events.
-
Click Apply.
Note: QRadar parses only LEEF
events for IBM
QRadar Network Packet Capture. On the Log
Activity tab in QRadar, the Event
Name displays as IBM QRadar Packet Capture Message and the
Low Level Category displays as Stored for all other
events.