IBM Support

QRadar: Forward QRadar appliance internal audit logs between two separate consoles

Troubleshooting


Problem

If more than One QRadar Console exists in your infrastructure, you might want an exact duplicate SIM Audit logs between both appliances as a preference. For example: Console 1 will log only Console 1 audit logs. Only Console 2 will log Console 2 audit logs. The result is to have audit logs from Console 1 and Console 2 logs, appear on both consoles.

Resolving The Problem

Here are the steps that you need to perform to forward internal QRadar Audit logs between two QRadar Consoles.
You must repeat this step on both or all of the QRadar consoles:

  1. Log into the console and click Admin tab

  2. Click Forwarding Destination and add the other console appliance IP and save.



  3. Goto the Admin tab menu, select Routing Rules and click Add.

  4. Scroll to Data Source, Event Filters, select Log Source and then select SIM Audit

    This will include all user activity under each QRadar Appliance. Then, click Add Filter.
    (see example)



  5. Under Routing Options, click Forward then select the check box for the appliance you entered in step 2. Then, click Save.



  6. Click Deploy Changes

Now you should see SIM Audit logs from multiple consoles.

You can do that by going to the Log Activity tab menu > Add Filter.

Parameter > Log source [Indexed] Operator Equals Log Source Filter SIM Audit.

Then click Add Filter






Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21959260