What's new in Disconnected Log Collector

Stay up to date with the new features that are available in IBM Disconnected Log Collector.

1.8.6

Added Ubuntu OS support
Download your Disconnected Log Collector instance on Ubuntu 22.04 or later. For more information, see Installing or upgrading Disconnected Log Collector on Ubuntu Linux.

1.8.5

Added TLS proxy authentication support

Use the proxy settings if your Disconnected Log Collector is behind a corporate firewall and the only way to access your Disconnected Log Collector is with a proxy server.

The proxy server also needs to access port 32500 on your QRadar instance.

For more information, see Configuring TLS proxy communication with QRadar.

Updated the installation procedure to use a script
The installation method changed to use a .tgz file so you can download and install connector RPMs for protocols directly on your Disconnected Log Collector instance as new ones or updates become available. With this update, you do not have to install a new Disconnected Log Collector version to receive protocol updates.

1.8.4

Fixed issues that caused service disruption

Issues with Java™ and RHEL 9.2 that caused security interruptions were fixed. If you have further issues, contact IBM® Support.

Support for TLS 1.3
You can now use TLS 1.3 when you connect your Disconnected Log Collector to QRadar or QRadar on Cloud. Using the most current TLS version increases the security of the connection to your Disconnected Log Collector.
Important: To use TLS 1.3, you must have the most current version of the QRadar Disconnected Log Collector protocol on your QRadar or QRadar on Cloud instance.

Update the TLS version in both the config.json file for your Disconnected Log Collector instance, and in the QRadar Log Source Management app for the protocol.

Added backup and restore scripts

Use these scripts to backup and restore your Disconnected Log Collector configuration.

To back up your configuration, run the /opt/ibm/si/services/dlc/current/script/configBackup.sh script.

To restore your configuration, run the /opt/ibm/si/services/dlc/current/script/configRestore.sh script.

1.8.3

Improved security with protocol updates
The following protocols are updated to improve security compliance with this version of Disconnected Log Collector:
  • Log File Protocol
  • Microsoft Azure Event Hubs

For more information about the parameters for each log source, see the readme files that are provided with the product. The readme files are available in the /opt/ibm/si/services/dlc/conf/template directory.

1.8.2

Improved security with protocol updates
The following protocols are updated to improve security compliance with this version of Disconnected Log Collector:
  • Akamai Kona REST API
  • Amazon AWS REST API
  • Amazon Web Services
  • Apache Kafka
  • Ariel REST API
  • Blue Coat Web Security Service (WSS) REST API
  • Box REST API
  • Google G Suite Activity Reports REST API
  • JDBC
  • Log File Protocol
  • Microsoft Azure Event Hubs
  • Microsoft Graph Security API
  • Microsoft Office 365 REST API
  • Microsoft Office 365 Message Trace REST API
  • Seculert Protection REST API
  • SMB Tail
  • SNMP
  • Universal Cloud REST API
  • Microsoft Defender® for Endpoint REST API
    Important: Due to a change in the Microsoft Defender API suite as of 25 November 2021, Microsoft no longer allows the onboarding of new integrations with their SIEM API.

    To continue to receive data from Microsoft Defender for Endpoint REST API log sources, you must register a new application and create Microsoft Graph Security API log sources to collect the data. For more information, see Migrating Microsoft Defender for Endpoint REST API log sources to Microsoft Graph Security API log sources.

For more information about the parameters for each log source, see the readme files that are provided with the product. The readme files are available in the /opt/ibm/si/services/dlc/conf/template directory.

1.7.0

Support for Disaster Recovery

You can now enable your Disconnected Log Collector device to run on a destination site if your primary site stops working due to a site failure. Disconnected Log Collector works with the IBM QRadar Data Synchronization app to ensure that you do not lose your data.

For more information, see Disaster Recovery and Disconnected Log Collector.

Improved security and accessibility with industry compliance

Disconnected Log Collector is compliant with the Federal Information Processing Standards (FIPS).

1.6.0

Generate requests for server certificate on QRadar

You can use the generatecertificate.sh script to generate requests for the server certificate that is used by the Disconnected Log Collector log source protocol on QRadar.

For more information, see Setting up certificate-based authentication on QRadar.

1.5.0

Monitor the health of Disconnected Log Collector

You can enable metrics collection to monitor the health of Disconnected Log Collector. Collect metrics on the event rate and spill file count for the pipeline to QRadar. Send the metrics to QRadar as events.

For more information, see Sending Disconnected Log Collector health metrics to QRadar.

Monitor client certificate expiry

You can monitor the expiry of the client certificate that Disconnected Log Collector uses for secure TLS communication to QRadar®. Specify the number of days in advance of the expiry to send a notification event to QRadar.

For more information, see Sending Disconnected Log Collector health metrics to QRadar.

Support for more log source protocols

The following log source protocols were added:

  • IBM Cloud® Identity Event Service
  • Microsoft Graph Security API
  • Microsoft Office 365 Message Trace REST API
  • Universal Cloud REST API

For more information about the parameters for each log source, see the readme files that are provided with the product. The readme files are available in the /opt/ibm/si/services/dlc/conf/template directory.

1.4.0

In QRadar 7.4.0 or later, use the QRadar Log Source Management app (version 6.0 or later) to register or import Disconnected Log Collector instances that are installed in your environment. You can configure your log sources in the app, which is much faster than by using the Disconnected Log Collector's JSON config file.

Disconnected Log Collector Management

In addition, the following log source protocols were added:

  • Ariel REST API
  • Box REST API
  • Centrify Redrock REST API
  • Google G Suite Activity Reports REST API
  • Netskope Active REST API
  • Okta REST API
  • Seculert Protection REST API
  • VMware vCloud Protocol
  • Windows Defender ATP REST API

For more information about the parameters for each log source, see the readme files that are provided with the product. The readme files are available in the /opt/ibm/si/services/dlc/conf/template directory.

1.3.0

The following log source protocols were added:

  • SAP ETD REST API
  • ObserveIT JDBC
  • IBM SIM JDBC
  • Windows Security Event Log
  • EMC VmWare Protocol

1.2.0

The following log source protocols were added:

  • Akamai Kona REST API
  • Amazon web Services
  • Apache Kafka
  • Blue Coat WSS REST API
  • Cisco Firepower eStreamer
  • Microsoft Azure Event Hubs
  • Microsoft Office 365 REST API
  • MQJMS
  • Oracle Database Listener
  • Salesforce REST API
  • SMBTail
  • SNMPv3
  • Windows DHCP Protocol
  • Microsoft Exchange Protocol

1.1.0

More protocols were added in Disconnected Log Collector 1.1.0. For a full list of supported protocols, see Disconnected Log Collector overview.