After you add Splunk instances
to the app, you need to configure the app to forward the raw data from Splunk universal forwarders to QRadar®.
Procedure
-
On the Splunk Instances tab, expand a Splunk instance to see the list of available
data source types. To narrow the list of Splunk instances to choose from, search for
instances based on location, description, or source types.
Defining source types is optional for Splunk instances, so when data sources don't
belong to a source type, they are listed in 'Not defined' in the list. The source type appears as a
link in the list and displays the related data sources.
-
Investigate the data sources of each Splunk instance to help determine which
sources you want to forward to QRadar.
- To forward data sources that are universal forwarders, select Forward All to
QRadar.
-
Select the data sources that you want to forward, and then click
.
To clear your selections from the forwarding queue and start again, click the
X icon.
-
On the Set Port for QRadar page, set the IP address and TCP port number of
the QRadar console for each
Splunk instance, and click
Set. Any Windows-based sources are
displayed, with configuration options to choose from.
Tips:
- In general, use port 514 to forward data to QRadar. To forward TCP multiline
events, use port 12468.
- Click Preview to see the content of the data source before you decide to
forward it. This view is useful for non-administrative users to copy the information and send to an
administrator to change the Splunk
instance. After you copy the data to a clipboard, modify the appropriate files
(
props.conf
, transforms.conf
, outputs.conf
).
- If QRadar App for Splunk Data
Forwarding detects a
source to be Windows-based, but it's not, you can still
forward the logs to port 514.
- For each Splunk source that
QRadar App for Splunk Data
Forwarding detects as a Windows source, select one of the following configuration
options.
- If you want to create a log source on the QRadar console, select
Automatically create Windows log source on QRadar.
- If you want to create and configure a log source as a gateway log source, select
Configure log source as a gateway (to identify logs coming in from various
sources).
- If you want to manually create a log source on QRadar, see Adding a log source.
- After you finish setting up the ports, click
Before Splunk can start forwarding the data to QRadar, the app must restart the
Splunk instance. Click
Finish, and then click Close after the Splunk instance restarts.
- Optional:
If you need to change the username or password for a Splunk instance, click
Edit. You cannot change the IP address or port number.
- Optional:
To stop Splunk from forwarding data to QRadar, go to the
Forwarded Data Sources tab, select the relevant Splunk instances, and click Stop
Forwarding.
Results
The data from the selected sources starts to appear in the Log Activity
tab as events in QRadar. You
can identify them by their Source IP.
Each instance in the Splunk Instances tab includes information about which
user created the instance, which users started or stopped data forwarding, and when the content for
the instance was last refreshed.