Adding forwarding destinations

Before you can configure routing rules or custom rules to forward data, you must add a forwarding destination. Normalized events that you forward can be interpreted only by other QRadar® systems.

Restriction: You cannot forward data to systems that use dynamic IP addresses. The connection is established when the service starts, and changes to the IP address are not detected until the service restarts. The forwarding destination must have a static IP address.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click Forwarding Destinations.
  3. On the toolbar, click Add.
  4. In the Forwarding Destinations window, enter values for the parameters.
    The following table describes some of the Forwarding Destinations parameters.
    Table 1. Forwarding Destinations parameters
    Parameter Description
    Destination Address The IP address or host name of the vendor system that you want to forward data to.
    Event Format
    • Payload is the data in the format that the log source or flow source sent.
    • Normalized is raw data that is parsed and prepared as readable information for the user interface.
    • JSON (Javascript Object Notation) is a data-interchange format.
    Protocol

    Use the TCP protocol to send normalized data by using the TCP protocol. You must create an off-site source at the destination address on port 32004.

    Use the TCP over SSL protocol to send normalized data securely by using the TCP protocol with an SSL certificate. You must install an SSL certificate to establish communication to the destination. For information about installing SSL certificates, see Installing a new SSL certificate.

    Restriction: You cannot transmit normalized and JSON data by using the UDP protocol. If you select the Normalized or JSON options, the UDP option in the Protocol list is disabled.
    Prefix a syslog header if it is missing or invalid Applicable only when the event format is Payload.

    When QRadar forwards syslog messages, the outbound message is verified to ensure that it has a valid syslog header.

    If a valid syslog header is not detected and this check box is selected, the prefixed syslog header includes the originating IP address from the packet that QRadar received in the Hostname field of the syslog header. If this check box is not selected, the data is sent unmodified.

  5. Click Save.

What to do next

Setting up a forwarding destination does not automatically send data to that destination. You must configure either a routing rule or a custom rule to forward data to the destination.