Question & Answer
What is the Target Event Collector used for in QRadar?
The Target event collector used to be a value that would tell QRadar which Event Processor would parse the data from the log source. Today with syslog-based log sources, we process the log sources on any Event Processor regardless of the Target Event Collector setting. This allows us to support load balancers and DNS load balancers with no changes to QRadar or other configuration settings. With inbound data sources that are auto detected, the "Target Event Collector" could indicate on which Event Processor the log source was detected on and created by.
With protocol-based log sources such as JDBC, WMI, CheckPoint Opsec, Log File Protocol where we are connecting out to a log source. This setting is important as it controls which QRadar Appliance is going to connect to the remote device to get the data. These log sources cannot be easily moved around since firewall changes may need to be made. If any of these log source was moved and the firewall rules were not updated, the log source could go into an error state and QRadar would note get the data.
Where do you find more information?
Was this topic helpful?
16 June 2018