You must configure a dedicated log source, for QRadar to
receive Syslog messages from a source.
About this task
Important: You must set the
Log Source
Type and
Protocol Configuration parameters
correctly. Otherwise, the Syslog events that you send are not received
or parsed correctly. For more information, see the
QRadar documentation.
Procedure
- Log on to the QRadar SIEM console.
- Click the Admin tab.
- Under the Data Sources > Events section,
click Log Sources.
- Click Add to create a log source.
- Set the following minimum parameters:
- Log Source Name
- Enter a title for the log source. This name appears in the log
activity window.
- Log Source Description
- Enter a description for the log source.
- Log Source Type
- Identify the format of the events. Select the value Universal
LEEF.
- If you do not select the value Universal LEEF,
QRadar cannot parse the Syslog messages that you send through the
QRadar Connector.
- Protocol Configuration
- Select the protocol for this log source. Select the value Syslog,
which is the protocol that the QRadar Connector uses.
- Log Source Identifier
- Enter the IP address of your IBM Security Directory Integrator
server.
- Enabled
- Select this option to enable the log source.
- Click Save.
- On the Admin tab of the QRadar
SIEM console, click Deploy Changes to
activate your new log source.
What to do next
Test the IBM Security Directory Integrator and QRadar integration
solution. See
Verifying the solution.