IBM Qradar side what should I select as a log source type?
To those of you that are using QRoC/QRadar if I am sending the data to QRoC as simple syslog, on the IBM Qradar side what should I select as a log source type? I went looking through the list and didnt see anything jump out at me though I did see a few that could be considered generic. What I would like to know is what have others used?
Answers
-
When configuring a log source, you should select syslog as the protocol after choosing the DSM.
0 -
Should I select Universal LEEF as my log source type?
0 -
It depends on the log. If you select Universal LEEF, your log payload should be in LEEF format. What type of log are you truing to sent to QRadar?
0 -
Currently its AWS VPC flow logs, they are being sent to our QRoC Log gateway that is on premise then onto QRoC. My concern is that if I pick AWS and then also start sending PaloAlto FW or VMware logs that they may not be correctly received.
0 -
AWS VPC Flow Logs is unique in QRadar because it takes in the flow logs and converts them into flow records. You won't see the logs in the Log Activity tab due to the conversion. If you send logs from Cribl via syslog, this conversion will likely not happen since the conversion is handled by the Amazon AWS S3 REST API protocol. If you just want the raw logs, you may need to create a Custom DSM unless you have one already.
0
