How to get your enterprise's security data into IBM QRadar
Before you can act on threats, you have bring your security data into your QRadar deployment.
Parag Patwardhan
IBM QRadar is a Security Information and Event Management (SIEM) tool that helps teams accurately detect and prioritize threats across the enterprise. Before you can act on threats, you have to bring your security data into your QRadar deployment.
There are a few ways to go about doing this, but we will focus on the most straightforward method below.
Push events to QRadar using syslog
In this method, the QRadar server is set up so that it listens for incoming events on a specific port, allowing us to then "push" the events to the server. This is one of the simplest methods to push events to the server, because it does not require you to install a QRadar app.
Syslog (System Logging Protocol) is a standard protocol used to send events to a logging server. IBM QRadar supports the syslog protocol out-of-the-box. In order to configure your QRadar server to accept syslog messages, you must set up a log source to listen on a specific port.
To do this, log into your QRadar console and click on the Admin tab
Click on Log Sources.
QRadar will prompt you to launch the new QRadar Log Source Management App. Click on Launch.
Click the New Log Source button at the top right to launch a wizard that will help you configure a log source.
Select Single Log Source for now.
The application that is sending the syslog messages will have a DSM built for QRadar. Select this DSM in the next step. If you do not have a custom DSM installed, you can install it from the Admin tab.
Alternately, you can select one of the Universal log source types. Select your log source type and move to Step 2 - Select Protocol Type.
Select Syslog as the protocol type and move to Step 3 - Configure Log Source Parameters.
Enter the Name of the log source and any optional parameters that you would like to set and move on to Step 4 - Configure Protocol Parameters.
In the final step, add the IP Address from where the events are being sent as the Log Source Identifier.
Hit Finish and you will see your log source configured and all set up.
Now that your log sources are set up, you need to deploy these changes in order for them to take effect.
Go to the Admin tab of your QRadar console and click on Deploy Changes. Wait for the deployment to finish (this can take a few minutes so don't worry if it's not immediate).
And that is it! Your log source is set up.
You can now push events to port 514 on your QRadar console and they will show up in the Log Activity tab.
If you have any questions about this process or want to learn about other methods of pushing your security data to QRadar, please feel free to reach out to me at parag@metronlabs.com.