Before you can configure routing rules or custom rules to forward data, you must add a
forwarding destination. Normalized events that you forward can be interpreted only by other IBM
QRadar systems.
Restriction: You cannot forward data to systems that use dynamic IP addresses. The
connection is established when the service starts, and changes to the IP address are not detected
until the service restarts. The forwarding destination must have a static IP address.
Procedure
-
On
the navigation menu (
), click
Admin.
-
In the System Configuration section, click Forwarding
Destinations.
-
On the toolbar, click Add.
-
In the Forwarding Destinations window, enter values for the parameters and
click Save.
The following table describes some of the
Forwarding Destinations
parameters.
Table 1. Forwarding Destinations
parameters
| Parameter |
Description |
| Destination Address |
The IP address or host name of the vendor system that you want to forward data to. |
| Event Format |
- Payload is the data in the format that the log source or flow source
sent. If you select this option, ensure that port 514 is open.
- Normalized is raw data that is parsed and prepared as readable
information for the user interface. If you select this option, ensure that ports 32000 and 32004 are
open.
- JSON (Javascript Object Notation) is a data-interchange format. If you
select this option, ensure that port 5141 is open.
|
| Protocol |
Use the TCP protocol to send normalized data by using the TCP protocol.
You must create an off-site source at the destination address on port 32004 for events, or on port
32000 for flows.
Deprecated Use the TCP
over SSL protocol to send payload or JSON data securely by using the TCP protocol with
an SSL certificate. You must install an SSL certificate to establish communication to the
destination.
Use the TCP over TLS 1.1 or above protocol to send payload or JSON data
securely by using the TCP protocol with TLS encryption. The destination must have valid
certificates.
Restriction: You cannot transmit normalized and JSON data by using the UDP protocol. If
you select the Normalized or JSON options, the
UDP option in the Protocol list is disabled.
|
| Prefix a syslog header if it is missing or invalid |
Applicable only when the event format is Payload. When QRadar forwards syslog
messages, the outbound message is verified to ensure that it has a valid syslog header.
If a
valid syslog header is not detected and this checkbox is selected, the prefixed syslog header
includes the originating IP address from the packet that QRadar received in the
Hostname field of the syslog header. If this checkbox is not selected, the
data is sent unmodified.
|
| Enable Hostname Verification |
The configured destination address must match an entry in the Subject Alternative Names field of the remote server’s TLS certificate. |
| Enable Client Authentication |
To know how to upload certificates through the API, see QRadar:
Forwarding events over TLS, adding a Client cert through QRadar API. |
| Profile |
A forwarding profile associates multiple destinations when network activity is forwarded. This parameter is applicable only when the event format is JSON. |
- Optional: Deprecated If you are using the
TCP over SSL protocol, follow these steps:
- From the command line of the event collector or processor that uses the routing rule
to forward data, change the directory to /tmp.
- Run the following command:
/opt/qradar/bin/getcert.sh tlssyslog_server_ip
tlssyslog_port A copy of the client certificate is downloaded from the target
system and is titled with the IP and port you downloaded it from.
- Move the certificate to
/opt/qradar/conf/trusted_certificates/.
- Restart event collection.
- If online forwarding is enabled, run the following command: systemctl restart
ecs-ec
- If offline forwarding is enabled, run the following command: systemctl restart
ecs-ep
- Optional:
If you are using the TCP over TLS protocol and the destination requires
a client certificate to connect, follow these steps:
- To upload certificates through the API, see QRadar:
Forwarding events over TLS, adding a Client cert through QRadar API.
- On the Admin tab, select Routing Rules,
and configure a new rule using the forwarding destination that you configured. Enable the
rule.
What to do next
Setting up a forwarding destination does not automatically send data to that destination.
You must configure either a routing rule or a custom rule to forward data to the destination. For
more information, see Configuring routing rules to forward data.