SDEE protocol configuration options
You can configure a log source to use the Security Device Event Exchange (SDEE) protocol. QRadar uses the protocol to collect events from appliances that use SDEE servers.
The SDEE protocol is an outbound/active protocol.
The following table describes the protocol-specific parameters for the SDEE
protocol:
| Parameter | Description |
|---|---|
| Protocol Configuration | SDEE |
| Log Source Identifier |
Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured SDEE log source, ensure that you give each one a unique name. |
| URL | The HTTP or HTTPS URL that is required to access
the log source, for example, https://www.example.com/cgi-bin/sdee-server. For SDEE/CIDEE (Cisco IDS v5.x and later), the URL must end with /cgi-bin/sdee-server. Administrators with RDEP (Cisco IDS v4.x), the URL must end with /cgi-bin/event-server. |
| Force Subscription | When the check box is selected, the protocol forces the server to drop the least active connection and accept a new SDEE subscription connection for the log source. |
| Maximum Wait To Block For Events | When a collection request is made and no new events are available, the protocol enables an event block. The block prevents another event request from being made to a remote device that did not have any new events. This timeout is intended to conserve system resources. |