VMware Cloud Community
OsburnM
Hot Shot
Hot Shot

How to setup Log Insight Forwarding to qRadar using Ingestion API

Greetings...  I'm trying to understand what's involved with setting up Log Insight to forward certain events to our qRadar SIEM using the Ingestion API protocol instead of RAW or Syslog as we need to maintain the source data in the event payload as received by qRadar.  Setting the forwarding as Syslog and the filter settings all work just fine-- but setting it to Ingestion API doesnt work.  The test fails to connect and events aren't actually received.

I'm assuming there's something that must be done on the qRadar side-- I just don't know what that actually is?  Is there a qRadar setting somewhere?  Am I supposed to be installing an LI agent on a qRadar receiver?  I'm just honestly lost so hopefully someone can answer.

Thanks!

Reply
0 Kudos
0 Replies