Setting up a QRadar log source

You must configure a dedicated log source, for QRadar to receive Syslog messages from a source.

About this task

Important: You must set the Log Source Type and Protocol Configuration parameters correctly. Otherwise, the Syslog events that you send are not received or parsed correctly. For more information, see the QRadar documentation.


  1. Log on to the QRadar SIEM console.
  2. Click the Admin tab.
  3. Under the Data Sources > Events section, click Log Sources.
  4. Click Add to create a log source.
  5. Set the following minimum parameters:
    Log Source Name
    Enter a title for the log source. This name appears in the log activity window.
    Log Source Description
    Enter a description for the log source.
    Log Source Type
    Identify the format of the events. Select the value Universal LEEF.
    If you do not select the value Universal LEEF, QRadar cannot parse the Syslog messages that you send through the QRadar Connector.
    Protocol Configuration
    Select the protocol for this log source. Select the value Syslog, which is the protocol that the QRadar Connector uses.
    Log Source Identifier
    Enter the IP address of your IBM Security Directory Integrator server.
    Select this option to enable the log source.
  6. Click Save.
  7. On the Admin tab of the QRadar SIEM console, click Deploy Changes to activate your new log source.

What to do next

Test the IBM Security Directory Integrator and QRadar integration solution. See Verifying the solution.