Adding forwarding destinations
Before you can configure routing rules or custom rules to forward data, you must add a forwarding destination. Normalized events that you forward can be interpreted only by other QRadar® systems.
- On the navigation menu ( ), click Admin.
- In the System Configuration section, click Forwarding Destinations.
- On the toolbar, click Add.
In the Forwarding Destinations window, enter values for the parameters.
The following table describes some of the Forwarding Destinations parameters.
Table 1. Forwarding Destinations parameters Parameter Description Destination Address The IP address or host name of the vendor system that you want to forward data to. Event Format
- Payload is the data in the format that the log source or flow source sent.
- Normalized is raw data that is parsed and prepared as readable information for the user interface.
Use the TCP protocol to send normalized data by using the TCP protocol. You must create an off-site source at the destination address on port 32004.
Use the TCP over SSL protocol to send normalized data securely by using the TCP protocol with an SSL certificate. You must install an SSL certificate to establish communication to the destination. For information about installing SSL certificates, see Installing a new SSL certificate.Restriction: You cannot transmit normalized and JSON data by using the UDP protocol. If you select the Normalized or JSON options, the UDP option in the Protocol list is disabled.
Prefix a syslog header if it is missing or invalid Applicable only when the event format is Payload.
When QRadar forwards syslog messages, the outbound message is verified to ensure that it has a valid syslog header.
If a valid syslog header is not detected and this check box is selected, the prefixed syslog header includes the originating IP address from the packet that QRadar received in the Hostname field of the syslog header. If this check box is not selected, the data is sent unmodified.
- Click Save.