Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Current »

The Log Activity tab in the IBM QRadar console displays real-time information about the data transferred from Data Connector to the console: 

The screenshot shows the Log Activity tab in the IBM QRadar console.
Image: The IBM QRadar Security Intelligence platform "Log Activity" tab, which displays a table of security events.

When you click a log event, the console will display detailed information about it:

The screenshot shows detailed information about a log event. The Event Information section shows the magnitude, relevance, severity, credibility, start time, storage time, and log source time. The Source and Destination Information section shows the source IP and port, the destination IP and port, IPv6 source and destination, and other details.Image: The IBM QRadar Security Intelligence platform displaying a the view of a specific event within the "Log Activity" section of the tool:

The "Event Information" section includes:

The IBM QRadar Security Intelligence platform "Log Activity" tab, which displays a table of security events.

If the events are shown as Unknown in the QRadar SIEM server, then do the following:

1. Inspect the unknown event’s packet to identify the category name associated with the event.

2. Create an Event Categorization with the category name. This will generate a QID.

3. Map the unknown event to the generated QID. All future events that match these criteria will be mapped to the specified QID.

For details, see Universal LEEF event map creation and Creating an event map and categorization.

To receive DNS queries and responses from Data Connector, configure a log source on the console:

1. Log in to the console.

2. Open the Admin tab, click Data Sources > Events, and click Log Sources.


ImageThe web-based configuration panel for adding a log source within a security event management system

  • The "Event Information" section includes:

3. Click Add. The Log Sources screen will open:

The screenshot shows the Log Sources screen, which contains the configuration fields for a log source.
Image: The configuration interface for adding a log source in a security information.

4. Specify the following:

  • Log Source Name: Provide a name that does not exceed 256 characters.
  • Log Source Description: Provide a description that does not exceed 256 characters.
  • Log Source Type: Select Universal Leef. Infoblox supports the Universal Leef Syslog format for IBM QRadar.
  • Protocol Configuration: To use the TLS encryption protocol for Syslog, select TLS Syslog.
  • Log Source Identifier: Specify the same IP address as the one you specified while configuring the destination in Data Connector.
  • TLS Listen Port: Specify the same port number as the one you specified while configuring the destination in Data Connector.
  • Authentication Mode: To use the TLS encryption protocol for authentication, select TLS.
  • Certificate Type: Select Generate Certificate. TLS will use the certificate to encrypt and authenticate data transfer.
  • Enabled: Select this checkbox.
  • Please select any groups you would like this log source to be a member of: Select the checkbox next to the group to which you want to add the log source.

5. In the Admin tab of the console, click Deploy Changes:

The screenshot shows the Admin tab of the IB QRadar Security Intelligence.
Image: The IBM QRadar Security Intelligence "Admin" tab displaying the Deploy Changes panel. 

6. Click Save.

For more information, refer to the IBM QRadar document.

  • No labels