Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

The Log Activity tab in the IBM QRadar console displays real-time information about the data transferred from Data Connector to the console: 

When you click a log event, the console will display detailed information about it:

If the events are shown as Unknown in the QRadar SIEM server, then do the following:

1. Inspect the unknown event’s packet to identify the category name associated with the event.

2. Create an Event Categorization with the category name. This will generate a QID.

3. Map the unknown event to the generated QID. All future events that match these criteria will be mapped to the specified QID.

For details, see Universal LEEF event map creation and Creating an event map and categorization.

To receive DNS queries and responses from Data Connector, configure a log source on the console:

1. Log in to the console.

2. Open the Admin tab, click Data Sources > Events, and click Log Sources.

3. Click Add. The Log Sources screen will open:

4. Specify the following:

  • Log Source Name: Provide a name that does not exceed 256 characters.
  • Log Source Description: Provide a description that does not exceed 256 characters.
  • Log Source Type: Select Universal Leef. Infoblox supports the Universal Leef Syslog format for IBM QRadar.
  • Protocol Configuration: To use the TLS encryption protocol for Syslog, select TLS Syslog.
  • Log Source Identifier: Specify the same IP address as the one you specified while configuring the destination in Data Connector.
  • TLS Listen Port: Specify the same port number as the one you specified while configuring the destination in Data Connector.
  • Authentication Mode: To use the TLS encryption protocol for authentication, select TLS.
  • Certificate Type: Select Generate Certificate. TLS will use the certificate to encrypt and authenticate data transfer.
  • Enabled: Select this checkbox.
  • Please select any groups you would like this log source to be a member of: Select the checkbox next to the group to which you want to add the log source.

5. In the Admin tab of the console, click Deploy Changes:


6. Click Save.

For more information, refer to the IBM QRadar document.

  • No labels