Disconnected Log Collector overview

IBM® Disconnected Log Collector sends events to an IBM QRadar® deployment by using the User Datagram Protocol (UDP) or the Transport Layer Security over the Transmission Control Protocol (TLS over TCP). When Disconnected Log Collector uses TLS over TCP, it buffers incoming events during times when it is disconnected from QRadar and sends them when the connection is restored. Buffer capacity can be configured, and is limited by the available memory and disk space.

You can use as many Disconnected Log Collector instances as you need in your QRadar environment.

The following image shows an example of Disconnected Log Collector that is deployed in a QRadar environment.

Figure 1. Disconnected Log Collector
Disconnected Log Collector

Disconnected Log Collector is pre-configured to collect log information from UDP and TCP syslog log sources, and can also be configured for the following log sources:

  • Akamai Kona REST API
  • Amazon AWS S3 REST API
  • Amazon Web Services
  • Apache Kafka
  • Ariel REST API
  • Blue Coat Web Security Service (WSS) REST API
  • Box REST API
  • Centrify Redrock REST API
  • Cisco Firepower eStreamer
  • Google G Suite Activity Reports REST API
  • IBM Security Verify Event Service (formerly IBM Cloud® Identity Event Service)
  • JDBC
  • JDBC - SiteProtector
  • Log File Protocol
  • Microsoft Azure Event Hubs
  • Windows Defender® for Endpoint REST API
    Important: Due to a change in the Microsoft Defender API suite as of 25 November 2021, Microsoft no longer allows the onboarding of new integrations with their SIEM API.

    To continue to receive data from Microsoft Defender for Endpoint REST API log sources, you must register a new application and create Microsoft Graph Security API log sources to collect the data. For more information, see Migrating Microsoft Defender for Endpoint REST API log sources to Microsoft Graph Security API log sources.

  • Microsoft DHCP Protocol
  • Microsoft Exchange
  • Microsoft Graph Security API
  • Microsoft IIS
  • Microsoft Security Event Log over MSRPC
  • Microsoft Office 365 REST API
  • Microsoft Office 365 Message Trace REST API
  • MQ protocol - MQJMS
  • Netskope Active REST API
  • Okta REST API
  • Oracle Database Listener
  • Salesforce REST API
  • Seculert Protection REST API
  • SMB Tail
  • SNMPv2
  • SNMPv3
  • Syslog Redirect
  • TCP Multiline Syslog
  • TLS Syslog
  • UDP Multiline Syslog
  • Universal Cloud REST API
  • VMware vCloud Director