Reply to Message

View discussion in a popup

Replying to:
TimDewar
Contributor
Contributor

Forwarding to QRadar SIEM?

I am looking for some help with forwarding Log Insight security events to IBM QRadar.

The Log Insight documentation indicates that within the SysLog data being forwarded there's a “_li_source_path” that contains the event's original source.  Instead of all events showing as Log Insight as the source, QRadar would need to use the “_li_source_path” value as the source.  Unfortunately IBM does not have a native Log Insight parser module (DSM) to grab the “_li_source_path”, but a QRadar Log Source Extension (LSX) could be configured to do this.  Does anybody have a LSX XML file that they can share?

Thanks,

Tim.

Reply
0 Kudos