IBM Support

QRadar - How to collect Windows events via Microsoft® Azure Event Hub - quick start guide

How To


Summary

How to set up a Gateway log source for collecting Windows events.

Steps

Create a new log source in Log Source Management app (LSM)
Step 1: Select log source type Universal DSM.
Step 2: Select protocol type Microsoft Azure Event Hubs.
Step 3: Fill in the Name, Description fields and select Target Event Collector.
Step 4:
  • Log Source Identifier (LSI) for this log source should not include spaces and must be unique among all log sources of this type.
  • Fill in the necessary authentication information - either a connection string (preferred method), or Namespace Name, Event Hub Name, SAS Key Name and SAS Key (deprecated method).
  • Fill in your consumer group.
  • If you need to use a Storage Account, enable this option and fill in your Storage Account Connection String.
  • Enable Use As A Gateway Log Source
  • Define the LSI pattern as e.g.
$1=COMPUTERNAME=\"(.*?)\" 
the values of "computername" will be the Log Source Identifiers for the auto-detected log sources.
Step 5: Run a Test (recommended) or click skip and Finish.
Step 6: Deploy the log source you just created.
Now you can bulk add Windows log sources with log source type Syslog on Azure, and enable the gateway log source if you hadn't already.
Monitor Log Activity and you should see Windows log sources getting auto-detected and parsed.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnfdAAC","label":"ATS-SecIntel Backup-\u003EQRadar-\u003EEvents-\u003ELog Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
22 July 2020

UID

ibm16251257