If more than One QRadar Console exists in your infrastructure, you might want an exact duplicate SIM Audit logs between both appliances as a preference. For example: Console 1 will log only Console 1 audit logs. Only Console 2 will log Console 2 audit logs. The result is to have audit logs from Console 1 and Console 2 logs, appear on both consoles.
Resolving The Problem
Here are the steps that you need to perform to forward internal QRadar Audit logs between two QRadar Consoles.
You must repeat this step on both or all of the QRadar consoles:
- Log into the console and click Admin tab
- Click Forwarding Destination and add the other console appliance IP and save.
- Goto the Admin tab menu, select Routing Rules and click Add.
- Scroll to Data Source, Event Filters, select Log Source and then select SIM Audit
This will include all user activity under each QRadar Appliance. Then, click Add Filter.
- Under Routing Options, click Forward then select the check box for the appliance you entered in step 2. Then, click Save.
- Click Deploy Changes
Now you should see SIM Audit logs from multiple consoles.
You can do that by going to the Log Activity tab menu > Add Filter.
Parameter > Log source [Indexed] Operator Equals Log Source Filter SIM Audit.
Then click Add Filter
Where do you find more information?
Was this topic helpful?
16 June 2018