Forwarding to QRadar SIEM?

TimDewar · ‎10-27-2016

I am looking for some help with forwarding Log Insight security events to IBM QRadar.

The Log Insight documentation indicates that within the SysLog data being forwarded there's a “_li_source_path” that contains the event's original source. Instead of all events showing as Log Insight as the source, QRadar would need to use the “_li_source_path” value as the source. Unfortunately IBM does not have a native Log Insight parser module (DSM) to grab the “_li_source_path”, but a QRadar Log Source Extension (LSX) could be configured to do this. Does anybody have a LSX XML file that they can share?

Thanks,

Tim.

admin · ‎11-23-2016

Not that I know of, but in LI 4.0 you can ingest in Log Insight and apply parser at ingestion and extract the source_path as a tag and select the Forward Complimentary tags option when forwarding to qradar. Not sure this will achieve everything you are looking to do, but it might help. Thanks.

OsburnM · ‎11-11-2022

Not sure if you're still around as this is a bit of an older post-- but I'm looking for the same thing. We need to use LI to Forward events to qradar. It looks like Ingestion API method is the only way to go as qradar doesn't like the wrapper with the source info being LogInsight. Were you ever able to figure out how to setup qradar to be an Ingestion API receiver?

All

Forwarding to QRadar SIEM?