Configuring an Event Collector

Add an IBM QRadar Event Collector when you want to expand your deployment, either to collect more events locally or collect events from a remote location.

Procedure

  1. From the Admin tab, click System Configuration > System and License Management.
  2. Select the managed host that you want to configure.
  3. Click Deployment Actions > Edit Host.
  4. Click Component Management.
  5. Enter values for the following parameters:
    Parameter Description
    Event Forwarding Listen Port The Event Collector event forwarding port.
    Flow Forwarding Listen Port The Event Collector flow forwarding port.
    Autodetection Enabled

    True enables the Event Collector to automatically analyze and accept traffic from previously unknown log sources. The appropriate firewall ports are opened to enable Autodetection to receive events. This option is the default.

    False prevents the Event Collector from automatically analyzing and accepting traffic from previously unknown log sources.

    For more information, see the Managing Log Sources Guide.
    Autodetection - Use Global settings

    True specifies that the Event Collector uses global settings for Log Source Autodetection.

    False specifies that the Event Collector uses individual, local settings (XML configuration file) for Log Source Autodetection.
    Flow De-Duplication Filter Enabled True enables the Event Collector to coalesce redundant flows.

    False prevents the Event Collector from coalescing redundant flows. The default is False.
    Flow De-Duplication Filter Time The amount of time in seconds that flows are buffered before they are forwarded.
    Asymmetric Flow Filter Time The amount of time in seconds that asymmetric flow is buffered before they are forwarded.
    Forward Events Already Seen

    True enables the Event Collector to forward events that were detected on the system.

    False prevents the Event Collector from forwarding events that were detected on the system. This option prevents event-looping on your system.
    Compress Event Processor Traffic True enables traffic that is sent to the connected Event Processor to be compressed.

    False prevents traffic that is sent to the connected Event Processor from being compressed. The default is False.
  6. Click Save.
  7. Repeat for all QRadar Event Collectors in your deployment that you want to configure.