IBM QRadar

Unlike other log aggregators and SIEMs, IBM QRadar requires that logs must be forwarded to a specific destination in order to be collected.

Configure IBM QRadar

In order to ingest and analyze data from IBM QRadar, you must configure SIEM (InsightIDR) to be the specific destination of its logs.

To specify the SIEM (InsightIDR) collector as the destination:

1. Create a rule to forward logs to add a collector as a forward destination. Read instructions here: https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/c_qradar_adm_frwd_event_data.html 
2. Choose to either create a log forwarding rule OR create a routing rule.
   • Create a log forwarding rule: https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/t_qradar_adm_add_frwrd_dest.html 
   • Create a routing rule: https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/t_qradar_adm_data_store.html 
3. When you configure an event source in SIEM (InsightIDR), select “QRadar” when choosing from the list of Log Aggregators.