Example: Forwarding normalized events and flows

To forward normalized events and flows, configure the target deployment to include an off-site source so that it knows which computer is sending the data. Configure the source deployment to include an off-site target so that it knows which computer to send the data to.

About this task

The following diagram shows forwarding event and flow data between deployments.

Figure 1. Forwarding data between deployments by using SSH
Event forwarding between two deployments.

If the off-site source or target is an all-in-one system, the public key is not automatically generated; therefore, you must manually generate the public key. For more information, see Generating public keys for QRadar products.

Procedure

To forward normalized events and flows from Deployment A to Deployment B:

  1. Configure an off-site target in Deployment A.

    The off-site target configuration includes the IP address of the Event Collector in Deployment B that receives the data.

  2. Configure an off-site source in Deployment B.

    The off-site source configuration includes the IP address and the port number of the Event Collector in Deployment A that is sending the data.

  3. To transfer encrypted data, you must enable encryption on both the off-site source and the off-site target.

To ensure appropriate access, the SSH public key for the source system (Deployment A) must be available to the target system (Deployment B). For example, to enable encryption between Deployment A and Deployment B, follow these steps:

  1. Create ssh keys by using the ssh-keygen -1 -t rsa command, and press enter when prompted about the directory and passphrase.

    By default, the id_rsa.pub file is stored in the /root/.ssh directory.

  2. Copy the id_rsa.pub file to the /root/.ssh directory on the Event Collector and on the QRadar Console in the source system (Deployment A).
  3. Rename the file to authorized_keys.

Ensure that the source system is configured with the appropriate permissions to send event and flow data to the target system.

  1. If you didn't use the chmod 600 authorized_keys command to assign rw owner privileges to the file and the parent directory, use the ssh-copy-id command with the -i parameter to specify that the identity file /root/.ssh/id_rsa.pub be used.
    For example, type the following command to append entries or create a new authorized_keys file on the target console with the right privileges. This command does not check for duplicate entries.
    ssh-copy-id -i root@10.100.133.80
  2. Configure the source system to ensure that forwarding of events and flows is not interrupted by other configuration activities, such as adding a managed host to one of the consoles.

    For example, if a managed host is added to a console that is forwarding events, then an authorized_keys file must exist in the /root/.ssh directory on the managed host. If not, adding a managed host fails. This file is required regardless of whether encryption is used between the managed host and the console.

  3. On the QRadar Console in the source system (Deployment A), create a ssh_keys_created file under /opt/qradar/conf.
  4. Change the owner and group to nobody and the permission to 775 to make sure that the file can be backed up and restored properly.
    chown nobody:nobody /opt/qradar/conf/ssh_keys_created
    chmod 775 /opt/qradar/conf/ssh_keys_created
  5. To prevent connection errors, deploy the changes in the target system (Deployment B) before you deploy the changes in the source system (Deployment A).

What to do next

If you update the Event Collector configuration or the monitoring ports, you must manually update the configuration for the off-site source and off-site target to maintain the connection between the two deployments.

If you want to disconnect the source system (Deployment A), you must remove the connections from both deployments. Remove the off-site target from the source system (Deployment A), and then remove the off-site source from the target system (Deployment B).