TCP Multiline Syslog log source parameters for Splunk
If QRadar does not automatically detect the log source, add a Splunk log source on the QRadar Console by using the TCP Multiline Syslog protocol.
When using the TCP Multiline Syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect TCP
Multiline Syslog events from Splunk:
| Parameter | Value |
|---|---|
| Log Source type | Microsoft Windows Security Event Log |
| Protocol Configuration | TCP Multiline Syslog |
| Log Source Identifier |
Type the IP address or host name for the log source as an identifier for events from your Splunk appliance. The log source identifier must be unique value. |
For a complete list of TCP Multiline Syslog protocol parameters and their values, see TCP Multiline Syslog protocol configuration options.