Skip to main content
Question

IBM Qradar side what should I select as a log source type?

  • March 11, 2025
  • 5 replies
  • 22 views
B

To those of you that are using QRoC/QRadar if I am sending the data to QRoC as simple syslog, on the IBM Qradar side what should I select as a log source type? I went looking through the list and didnt see anything jump out at me though I did see a few that could be considered generic. What I would like to know is what have others used?

    5 replies

    T
    • Takashi Kumagai
    • Participating Frequently
    • March 11, 2025

    When configuring a log source, you should select syslog as the protocol after choosing the DSM.

    B
    • bryce
    • Author
    • Employee
    • March 11, 2025

    Should I select Universal LEEF as my log source type?

    T
    • Takashi Kumagai
    • Participating Frequently
    • March 11, 2025

    It depends on the log. If you select Universal LEEF, your log payload should be in LEEF format. What type of log are you truing to sent to QRadar?

    B
    • bryce
    • Author
    • Employee
    • March 11, 2025

    Currently its AWS VPC flow logs, they are being sent to our QRoC Log gateway that is on premise then onto QRoC. My concern is that if I pick AWS and then also start sending PaloAlto FW or VMware logs that they may not be correctly received.

    T
    • Takashi Kumagai
    • Participating Frequently
    • March 11, 2025

    AWS VPC Flow Logs is unique in QRadar because it takes in the flow logs and converts them into flow records. You won't see the logs in the Log Activity tab due to the conversion. If you send logs from Cribl via syslog, this conversion will likely not happen since the conversion is handled by the Amazon AWS S3 REST API protocol. If you just want the raw logs, you may need to create a Custom DSM unless you have one already.

    Terms & ConditionsAccessibility statement