QRadar: What is a Target Event Collector

Answer

The Target Event Collector indicates which Event Collector component (ecs-ec) owns the log source connection. For example, if you click the Test button in the Log Source Management application, any protocol tests run on the appliance set as the Target Event Collector. Connection, certificate, hostname, proxy, permissions, and event retrieval tests all run from the appliance set as the Target Event Collector. As Event Processors (16xx), combination Event and Flow Processors (18xx), and Console (31xx) appliances all contain an Event Collector process and you can set a Target Event Collector for any of these appliances. Most Console appliances have limited licenses, unless they are All-in-One appliances. When you send events or poll for remote events from the Console in a distributed deployment, the Console license is typically set to 1,000 EPS or less and might cause license system notifications to trigger.

For Syslog log sources, we process the log sources on any Event Processor regardless of the Target Event Collector setting, allowing administrators to use load balancers with no changes to QRadar or other configuration settings. For Syslog, log sources that are auto discovered, the "Target Event Collector" could indicate on which Event Processor the log source was detected on and created by.

For polling log sources, which are log sources that connect to remote event sources. The Target  Event Collector defines which QRadar appliance is establishing the connection to the remote event source. As polling log sources might have data in transit and polling intervals open, it is best to stop polling log sources before you change the Target Event Collector. Moving a polling log source might require administrators to add exceptions for firewalls in the network or update proxy configurations to allow connections through new appliances to external event sources.

Polling protocols to disable before you change the Target Event Collector

• Amazon AWS S3 buckets (that do not have SQS queues configured)
• JDBC
• Microsoft Windows Security Event Log over MSRPC
• BlueCoat REST API
• Log File
• Check Point OPSEC Lea

How to change the Target Event Collector value for a polling log source

1. Log in to the QRadar Console as an administrator.
2. Click the Admin tab.
3. Click the Log Sources icon.
4. Select your polling log source.
5. In the Enabled column, select the toggle to set the log source to the Disabled state.
6. Wait several minutes to allow the log source to close connections, finish polling, and update marker files.
7. Edit the log source.
8. Update the Target Event Collector field.
9. Click Save.
10. In the Enabled column, select the toggle to set the log source to the Enabled state.
11. Optional. Depending on the log source changes made, you might be required to click Deploy Changes.
    Note: If you made changes, such as updating a port value, the Admin tab might require a Deploy Full Configuration. As certain parameters, such as port changes or Target Event Collectors that needs ports open must run an iptables update, which requires a full deploy. 
12. Optional. Depending on your log source type, you might need to move the cert to the /opt/qradar/conf/trusted_certificates directory on the new Target Event Collector.
    Note: Several log sources include protocol parameters to retrieve the certificates automatically. If your log source protocol type includes certificate fields, the log source might retrieve the certificate for you.
    
    Results
    The deployment is updated and configurations updated. Depending on your log source, the configuration might open required ports, setup paths, setup temporarily files, or configure listeners for the appliances that is receiving data or making connections to a remote event source.