Forwarding data from Splunk universal forwarders to QRadar

After you add Splunk instances to the app, you need to configure the app to forward the raw data from Splunk universal forwarders to QRadar®.

Before you begin

Understand how data forwarding and universal forwarders work. For more information, see Universal and heavy forwarders.

Procedure

  1. On the Splunk Instances tab, expand a Splunk instance to see the list of available data source types. To narrow the list of Splunk instances to choose from, search for instances based on location, description, or source types.
    Defining source types is optional for Splunk instances, so when data sources don't belong to a source type, they are listed in 'Not defined' in the list. The source type appears as a link in the list and displays the related data sources.
  2. Investigate the data sources of each Splunk instance to help determine which sources you want to forward to QRadar.
  3. To forward data sources that are universal forwarders, select Forward All to QRadar.
  4. Select the data sources that you want to forward, and then click Add > Forward.
    To clear your selections from the forwarding queue and start again, click the X icon.
  5. On the Set Port for QRadar page, set the IP address and TCP port number of the QRadar console for each Splunk instance, and click Set. Any Windows-based sources are displayed, with configuration options to choose from.
    Tips:
    • In general, use port 514 to forward data to QRadar. To forward TCP multiline events, use port 12468.
    • Click Preview to see the content of the data source before you decide to forward it. This view is useful for non-administrative users to copy the information and send to an administrator to change the Splunk instance. After you copy the data to a clipboard, modify the appropriate files (props.conf, transforms.conf, outputs.conf).
    • If QRadar App for Splunk Data Forwarding detects a source to be Windows-based, but it's not, you can still forward the logs to port 514.
  6. For each Splunk source that QRadar App for Splunk Data Forwarding detects as a Windows source, select one of the following configuration options.
    • If you want to create a log source on the QRadar console, select Automatically create Windows log source on QRadar.
    • If you want to create and configure a log source as a gateway log source, select Configure log source as a gateway (to identify logs coming in from various sources).
    • If you want to manually create a log source on QRadar, see Adding a log source.
  7. After you finish setting up the ports, click Set > Step 3: Finish > Finish
    Before Splunk can start forwarding the data to QRadar, the app must restart the Splunk instance. Click Finish, and then click Close after the Splunk instance restarts.
  8. Optional: If you need to change the username or password for a Splunk instance, click Edit. You cannot change the IP address or port number.
  9. Optional: To stop Splunk from forwarding data to QRadar, go to the Forwarded Data Sources tab, select the relevant Splunk instances, and click Stop Forwarding.

Results

The data from the selected sources starts to appear in the Log Activity tab as events in QRadar. You can identify them by their Source IP.

Each instance in the Splunk Instances tab includes information about which user created the instance, which users started or stopped data forwarding, and when the content for the instance was last refreshed.