To forward normalized events and flows, configure the target deployment to include an
off-site source so that it knows which computer is sending the data. Configure the source deployment
to include an off-site target so that it knows which computer to send the data to.
About this task
The following diagram shows forwarding event and flow data between deployments.
Figure 1. Forwarding data between deployments by using SSH
If the off-site source or target is an all-in-one system, the public key is not automatically
generated; therefore, you must manually generate the public key. For more information, see Generating public keys for QRadar products.
Procedure
To forward normalized events and flows from Deployment A to Deployment B:
Configure an off-site target in Deployment A.
The off-site target configuration includes the IP address of the Event Collector in Deployment B
that receives the data.
Configure an off-site source in Deployment B.
The off-site source configuration includes the IP address and the port number of the Event Collector in Deployment A
that is sending the data.
To transfer encrypted data, you must enable encryption on both the off-site source and the
off-site target.
To ensure appropriate access, the SSH public key for the source system (Deployment A)
must be available to the target system (Deployment B). For example, to enable encryption between
Deployment A and Deployment B, follow these steps:
Create ssh keys by using the ssh-keygen -1 -t rsa command, and press enter
when prompted about the directory and passphrase.
By default, the id_rsa.pub file is stored in the
/root/.ssh directory.
Copy the id_rsa.pub file to the /root/.ssh directory
on the Event Collector and on
the QRadar
Console in the source system
(Deployment A).
Rename the file to authorized_keys.
Ensure that the source system is configured with the appropriate permissions to send
event and flow data to the target system.
If you didn't use the chmod 600 authorized_keys command to assign
rw owner privileges to the file and the parent directory, use the
ssh-copy-id command with the -i parameter to specify that the
identity file /root/.ssh/id_rsa.pub be used.
For example, type the following command to append entries or create a new
authorized_keys file on the target console with the right privileges. This
command does not check for duplicate entries.
ssh-copy-id -i root@10.100.133.80
Configure the source system to ensure that forwarding of events and flows is not interrupted by
other configuration activities, such as adding a managed host to one of the consoles.
For example, if a managed host is added to a console that is forwarding events, then an
authorized_keys file must exist in the /root/.ssh
directory on the managed host. If not, adding a managed host fails. This file is required regardless
of whether encryption is used between the managed host and the console.
On the QRadar
Console in the source
system (Deployment A), create a ssh_keys_created file under
/opt/qradar/conf.
Change the owner and group to nobody and the permission to
775 to make sure that the file can be backed up and restored properly.
To prevent connection errors, deploy the changes in the target system (Deployment B) before you
deploy the changes in the source system (Deployment A).
What to do next
If you update the Event Collector configuration or
the monitoring ports, you must manually update the configuration for the off-site source and
off-site target to maintain the connection between the two deployments.
If you want to disconnect the source system (Deployment A), you must remove the connections from
both deployments. Remove the off-site target from the source system (Deployment A), and then remove
the off-site source from the target system (Deployment B).