Configuring UDP communication with QRadar

User Datagram Protocol (UDP) is a connectionless protocol that is suitable for one-way communication, such as in unidirectional networks (also known as data diodes). UDP is susceptible to spoofing and should be used only in isolated, secure networks. UDP is the default protocol that IBM® Disconnected Log Collector uses to send event logs to an IBM QRadar® deployment.

About this task

Event log data is buffered only during moments when the incoming events-per-second rate exceeds the computer's ability to relay the information in real time. Event log data is not buffered if the connection is lost between Disconnected Log Collector and QRadar.

Procedure

  1. Log in to the Disconnected Log Collector computer or VM as the root user.
  2. Open the /opt/ibm/si/services/dlc/conf/config.json file in a text editor.
  3. In the destination.type parameter, enter UDP (the default): 
    'destination.type': 'UDP'
  4. In the destination.ip parameter, enter the IP address or the fully qualified domain name (FQDN) for the Event Collector, Event Processor, or QRadar Console that receives events from the Disconnected Log Collector instance. For example: 
    'destination.ip':'192.0.2.0'
  5. Save and close the config.json file.
  6. Restart Disconnected Log Collector by typing the following command: 
    systemctl restart dlc

What to do next

Go to Add Disconnected Log Collector as a log source in QRadar.