Adding forwarding destinations

Before you can configure routing rules or custom rules to forward data, you must add a forwarding destination. Normalized events that you forward can be interpreted only by other IBM® QRadar® systems.

Restriction: You cannot forward data to systems that use dynamic IP addresses. The connection is established when the service starts, and changes to the IP address are not detected until the service restarts. The forwarding destination must have a static IP address.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click Forwarding Destinations.
  3. On the toolbar, click Add.
  4. In the Forwarding Destinations window, enter values for the parameters and click Save.
    The following table describes some of the Forwarding Destinations parameters.
    Table 1. Forwarding Destinations parameters
    Parameter Description
    Destination Address The IP address or host name of the vendor system that you want to forward data to.
    Event Format
    • Payload is the data in the format that the log source or flow source sent. If you select this option, ensure that port 514 is open.
    • Normalized is raw data that is parsed and prepared as readable information for the user interface. If you select this option, ensure that ports 32000 and 32004 are open.
    • JSON (Javascript Object Notation) is a data-interchange format. If you select this option, ensure that port 5141 is open.
    Protocol

    Use the TCP protocol to send normalized data by using the TCP protocol. You must create an off-site source at the destination address on port 32004 for events, or on port 32000 for flows.

    Deprecated Use the TCP over SSL protocol to send payload or JSON data securely by using the TCP protocol with an SSL certificate. You must install an SSL certificate to establish communication to the destination.

    Use the TCP over TLS 1.1 or above protocol to send payload or JSON data securely by using the TCP protocol with TLS encryption. The destination must have valid certificates.

    Restriction: You cannot transmit normalized and JSON data by using the UDP protocol. If you select the Normalized or JSON options, the UDP option in the Protocol list is disabled.
    Prefix a syslog header if it is missing or invalid Applicable only when the event format is Payload.

    When QRadar forwards syslog messages, the outbound message is verified to ensure that it has a valid syslog header.

    If a valid syslog header is not detected and this checkbox is selected, the prefixed syslog header includes the originating IP address from the packet that QRadar received in the Hostname field of the syslog header. If this checkbox is not selected, the data is sent unmodified.
    Enable Hostname Verification The configured destination address must match an entry in the Subject Alternative Names field of the remote server’s TLS certificate.
    Enable Client Authentication Use the IBM QRadar Certificate Management App to enable client authentication.
    Profile A forwarding profile associates multiple destinations when network activity is forwarded. This parameter is applicable only when the event format is JSON.
  5. Optional: Deprecated If you are using the TCP over SSL protocol, follow these steps:
    1. From the command line of the event collector or processor that uses the routing rule to forward data, change the directory to /tmp.
    2. Run the following command: /opt/qradar/bin/getcert.sh tlssyslog_server_ip tlssyslog_port
      A copy of the client certificate is downloaded from the target system and is titled with the IP and port you downloaded it from.
    3. Move the certificate to /opt/qradar/conf/trusted_certificates/.
    4. Restart event collection.
      • If online forwarding is enabled, run the following command: systemctl restart ecs-ec
      • If offline forwarding is enabled, run the following command: systemctl restart ecs-ep
  6. Optional: If you are using the TCP over TLS protocol and the destination requires a client certificate to connect, follow these steps:
    1. Install the Certificate Management App from the IBM Security App Exchange (https://exchange.xforce.ibmcloud.com/hub/extension/dbe4ed9501f904b5945e84556bd0969f).
    2. In the Client/Server tab of the app, upload the client key and one or more certificates. For more information, see Uploading a certificate (https://www.ibm.com/docs/en/qsip/7.4?topic=management-uploading-certificate).
    3. Enter a name for your certificate. In the Purpose field, enter Client. In the Component field, enter Event Forwarding.
    4. Save and deploy your changes from the Admin tab.
    5. Access the Forwarding Destinations page from the Admin tab. Edit the forwarding destination, check Enable client authentication, and select your certificate.
    6. Click Save.
    7. On the Admin tab, select Routing Rules, and configure a new rule using the forwarding destination that you configured. Enable the rule.
  7. Optional: If you are using the TCP over TLS protocol and the destination uses a certificate that is signed by a private CA, or if you are unsure whether the certificate is signed by a private CA, follow these steps:
    1. Install the Certificate Management App from the IBM Security App Exchange (https://exchange.xforce.ibmcloud.com/hub/extension/dbe4ed9501f904b5945e84556bd0969f).
    2. In the Root Cert tab of the app, upload the Root CA certificate for the Private CA that issued the server certificate. The certificate must be in PEM format. For more information, see Uploading a certificate (https://www.ibm.com/docs/en/qsip/7.4?topic=management-uploading-certificate).
    3. Deploy your changes from the Admin tab.
    4. Access the Forwarding Destinations page from the Admin tab. Edit the forwarding destination and check Enable host name verification.
    5. Click Save.
    6. On the Admin tab, select Routing Rules, and configure a new rule using the forwarding destination that you configured. Enable the rule.

What to do next

Setting up a forwarding destination does not automatically send data to that destination. You must configure either a routing rule or a custom rule to forward data to the destination. For more information, see Configuring routing rules to forward data.

Troubleshooting forwarding destinations

Use this information to troubleshoot a Connection refused error message on the sending host.

Procedure

  1. To check whether the port is open, enter the following command on the destination host: ss -nlp | grep <port>.
  2. If other troubleshooting tests fail, try the following steps:
    • To see inbound traffic on the destination host, enter the following command: tcpdump -nn -i any port <port>.
    • To see outbound traffic from QRadar, depending on the offline/online routing rule, enter the following command: tcpdump -nn -i any dst <destination_ip>.
    • On the sending host, in /var/log/qradar.error, check for errors that are related to selectiveforwarding or offline_forwarding.