Sending Disconnected Log Collector health metrics to QRadar

If you use TLS over TCP communication, you can enable metrics to track the number of accumulated spillover files and the events per second (EPS) rate that IBM Disconnected Log Collector sends to IBM QRadar. Disconnected Log Collector sends the metrics as events to QRadar, where you can create rules to react to the metrics.

Also, Disconnected Log Collector sends an event to QRadar to notify when the client certificate is about to expire. By default, the event is sent 14 days before the certificate expires.

Procedure

  1. Log in to the Disconnected Log Collector computer or VM as the root user.
  2. Open the /opt/ibm/si/services/dlc/conf/config.json file in a text editor.
  3. Set the DLCMetricsEventsEnabled parameter to true.
  4. In the tls.keystoreexpirywindow parameter, enter the number of days' notice to be given before the client certificate expires.
  5. Save and close the file.
  6. Restart Disconnected Log Collector by typing the following command:
    systemctl restart dlc

Results

Disconnected Log Collector starts sending metrics events to QRadar. The event name is DLC Metrics.