To forward event and flow data to an Event Collector in another
deployment, configure the source deployment to include an off-site target so that it knows which
computer to send the data to.
Before you begin
You must know the listening ports for the off-site target appliance. By default, the
listening port for events is 32004, and 32000 for flows. To find the listening port on the target
appliance, follow these steps:
- In the target deployment, click the System and License Management
icon.
- Select the host and click .
- Click the Component Management settings icon (
), and find the ports in the Event
Forwarding Listening Port and Flow Forwarding Listening Port
fields.
About this task
To prevent connection errors, when you configure off-site source and target components, deploy
the IBM
QRadar Console with the
off-site source first. Then, deploy the QRadar
Console with the off-site target.
Procedure
-
On
the navigation menu (
), click
Admin.
-
In the System Configuration section, click System and License
Management.
-
In the Display list, select Systems.
-
On the Deployment Actions menu, click Manage Off-site
Targets.
-
Click Add and configure the parameters.
The name can be up to 20 characters in length and can include underscores or hyphens. The default
port to listen for events is 32004, and 32000 for flows.
In the IP field, enter the IP address of the QRadar
Console of the destination
deployment.
Note: If the off-site target is a managed host with encrypted host connections to its console, port
22 for SSH opens no matter which port is selected in the user interface.
-
Click Save.
-
Click Manage Connections to specify which QRadar hosts you want to receive
the data.
Only hosts that have an Event Collector are shown in the
list.
-
Repeat the steps to configure all off-site targets that you want to configure.
-
On the Admin tab, click Deploy changes.