Event data collection
Events are generated by log sources such as firewalls, routers, servers, and intrusion detection systems (IDS) or intrusion prevention systems (IPS).
- Simple Network Management Protocol (SNMP)
- Java™ database Connectivity (JDBC)
- Security Device Event Exchange (SDEE)
By default, QRadar automatically detects log sources after a specific number of identifiable logs are received within a certain time frame. After the log sources are successfully detected, QRadar adds the appropriate device support module (DSM) to the Log Sources window in the Admin tab.
Although most DSMs include native log sending capability, several DSMs require extra configuration, or an agent, or both to send logs. Configuration varies between DSM types. You must ensure the DSMs are configured to send logs in a format that QRadar supports. For more information, see Adding a log source.
Certain log source types, such as routers and switches, do not send enough logs for QRadar to quickly detect and add them to the Log Source list. You can manually add these log sources. For more information, see Adding a DSM.
Collected data is categorized into three major sections: events, flows, and vulnerability assessment (VA) information.