Multiple data sources over TLS Syslog

You can configure multiple devices in your network to send encrypted Syslog events to a single TLS Syslog listen port. The TLS Syslog listener acts as a gateway, decrypts the event data, and feeds it within IBM® Security QRadar® Log Insights to extra data sources configured with the Syslog connector.

When using the TLS Syslog connector, there are specific parameters that you must use.

Multiple devices within your network that support TLS-encrypted Syslog can send encrypted events via a TCP connection to the TLS Syslog listen port. These encrypted events are decrypted by the TLS Syslog (gateway) and are injected into the event pipeline. The decrypted events get routed to the appropriate receiver data sources or to the traffic analysis engine for autodiscovery.

Events are routed within QRadar Log Insights to data sources with a Data source identifier value that matches the source value of an event. For Syslog events with an RFC3164-, or RFC5425-, or RFC5424-compliant Syslog header, the source value is the IP address or the host name from the header. For events that do not have a compliant header, the source value is the IP address of the device that sent the Syslog event.

On QRadar Log Insights, you can configure multiple data sources with the Syslog connector to receive encrypted events that are sent to a single TLS Syslog listen port from multiple devices.

Note: Most TLS-enabled clients require the target server or listener's public certificate to authenticate the server's connection. By default, a TLS Syslog data source generates a certificate that is named syslog-tls.cert in /opt/qradar/conf/trusted_certificates/ on the target Event Collector that the data source is assigned to. This certificate file must be copied to all clients that are making a TLS connection.

To add a data source over TLS Syslog, go to Adding ingestion data sources.