Configuring Resolver query logging

Before you can add a log source in IBM QRadar, you must configure Resolver query logging on the AWS Management console.

Procedure

  1. Log in to your AWS Management console to open the Route 53 console.
  2. From the Route 53 navigation menu, select Resolver > Query logging.
  3. From the region list, select the region where you want to create the query logging configuration.
    Tip: The region that you select must be the same region where you created the Amazon Virtual Private Clouds (VPCs) that you want to log queries for. If your VPCs are in multiple regions, create at least one query logging configuration for each region.
  4. Click Configure query logging, then type a name for your query logging configuration. Your configuration name displays in the console in the list of query logging configurations.
  5. In the Query logs destination section, select a destination where you want Resolver to publish query logs. QRadar supports CloudWatch Logs log group and S3 bucket as destinations for query logs.
    • If you are using the Amazon AWS S3 REST API, select S3 bucket.
    • If you are using the Amazon Web Services protocol, select CloudWatch Logs log group.
  6. To log VPCs, in the VPCs to log queries for section, click Add VPC. DNS queries that originate in the VPCs that you select are logged. If you don't select any VPCs, no queries are logged by Resolver.
  7. Click Configure query logging.

What to do next

Create an Identity and Access (IAM) user in the AWS Management Console