Configuring log forwarding

Configure log forwarding to send QRadar® Advisor with Watson™ logs to your QRadar system so that you can provide them to IBM® Customer Support.

About this task

Log forwarding is enabled by default so that selected logs are forwarded to your QRadar system if a QRadar Advisor with Watson investigation fails. Log forwarding causes 3 - 5 EPS to be forwarded while an investigation is running.

Tip: Click the Enable log forwarding toggle to disable logging so that no logs are sent to your QRadar system.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the Apps section, under QRadar Advisor with Watson, click Logging.
  3. Select the Log level from the following choices:
    • INFO
    • WARNING
    • ERROR
    • FULL/DEBUG
  4. Click Submit.
    Logging screen
    • If an investigation fails, you can click View Logs from the Incident pane to view QRadar Advisor with Watson logs from the Log Activity tab on your QRadar system. On the List of Events page, click Select an Option in the View field to filter on the time of the events. For example, select Last 3 hours to view logs for events that started during the last 3 hours.
    • To view debug and information logs, from the Log Activity tab, click Search > Edit Search. From the Available Saved Searches section, click Advisor with Watson Audits and then click Load. In the Current Filters section, click Log Source is QRadarAdvisorwithWatson and then click Filter.