Unlike other log aggregators and SIEMs, IBM QRadar requires that logs must be forwarded to a specific destination in order to be collected.
Configure IBM QRadar
In order to ingest and analyze data from IBM QRadar, you must configure InsightIDR to be the specific destination of its logs.
To specify the InsightIDR collector as the destination:
- Create a rule to forward logs to add a collector as a forward destination. Read instructions here: https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/c_qradar_adm_frwd_event_data.html
- Choose to either create a log forwarding rule OR create a routing rule.
- Create a log forwarding rule: https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/t_qradar_adm_add_frwrd_dest.html
- Create a routing rule: https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/t_qradar_adm_data_store.html
- When you configure an event source in InsightIDR, select "QRadar" when choosing from the list of Log Aggregators.