<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Forwarding to QRadar SIEM? in VMware Aria Operations for Logs Discussions</title>
    <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Forwarding-to-QRadar-SIEM/m-p/2280652#M2062</link>
    <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I am looking for some help&amp;nbsp;with forwarding Log Insight security events to IBM QRadar.&lt;/P&gt;&lt;SPAN&gt;&lt;/SPAN&gt;&lt;P&gt;The Log Insight documentation indicates that within the SysLog data being forwarded&amp;nbsp;there's a&amp;nbsp;“_li_source_path” that contains the event's original source. &amp;nbsp;Instead of all events showing as Log Insight as the source, QRadar would need to use the&amp;nbsp;“_li_source_path” value as the source. &amp;nbsp;Unfortunately IBM does not have a native Log Insight parser module (DSM) to grab the “_li_source_path”, but a QRadar Log Source Extension (LSX) could be configured to do this. &amp;nbsp;Does anybody have a LSX XML file that they can share?&lt;/P&gt;&lt;SPAN&gt;&lt;/SPAN&gt;&lt;P&gt;Thanks,&lt;/P&gt;&lt;SPAN&gt;&lt;/SPAN&gt;&lt;P&gt;Tim.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
    <pubDate>Thu, 27 Oct 2016 17:18:09 GMT</pubDate>
    <dc:creator>TimDewar</dc:creator>
    <dc:date>2016-10-27T17:18:09Z</dc:date>
    <item>
      <title>Forwarding to QRadar SIEM?</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Forwarding-to-QRadar-SIEM/m-p/2280652#M2062</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I am looking for some help&amp;nbsp;with forwarding Log Insight security events to IBM QRadar.&lt;/P&gt;&lt;SPAN&gt;&lt;/SPAN&gt;&lt;P&gt;The Log Insight documentation indicates that within the SysLog data being forwarded&amp;nbsp;there's a&amp;nbsp;“_li_source_path” that contains the event's original source. &amp;nbsp;Instead of all events showing as Log Insight as the source, QRadar would need to use the&amp;nbsp;“_li_source_path” value as the source. &amp;nbsp;Unfortunately IBM does not have a native Log Insight parser module (DSM) to grab the “_li_source_path”, but a QRadar Log Source Extension (LSX) could be configured to do this. &amp;nbsp;Does anybody have a LSX XML file that they can share?&lt;/P&gt;&lt;SPAN&gt;&lt;/SPAN&gt;&lt;P&gt;Thanks,&lt;/P&gt;&lt;SPAN&gt;&lt;/SPAN&gt;&lt;P&gt;Tim.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Thu, 27 Oct 2016 17:18:09 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Forwarding-to-QRadar-SIEM/m-p/2280652#M2062</guid>
      <dc:creator>TimDewar</dc:creator>
      <dc:date>2016-10-27T17:18:09Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarding to QRadar SIEM?</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Forwarding-to-QRadar-SIEM/m-p/2280653#M2063</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Not that I know of, but in LI 4.0 you can ingest in Log Insight and apply parser at ingestion and extract the source_path as a tag and select the Forward Complimentary tags option when forwarding to qradar. Not sure this will achieve everything you are looking to do, but it might help. Thanks. &lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Wed, 23 Nov 2016 13:46:22 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Forwarding-to-QRadar-SIEM/m-p/2280653#M2063</guid>
      <dc:creator>admin</dc:creator>
      <dc:date>2016-11-23T13:46:22Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarding to QRadar SIEM?</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Forwarding-to-QRadar-SIEM/m-p/2937861#M2813</link>
      <description>&lt;P&gt;Not sure if you're still around as this is a bit of an older post-- but I'm looking for the same thing.&amp;nbsp; We need to use LI to Forward events to qradar.&amp;nbsp; It looks like Ingestion API method is the only way to go as qradar doesn't like the wrapper with the source info being LogInsight.&amp;nbsp; Were you ever able to figure out how to setup qradar to be an Ingestion API receiver?&lt;/P&gt;</description>
      <pubDate>Fri, 11 Nov 2022 16:17:58 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Forwarding-to-QRadar-SIEM/m-p/2937861#M2813</guid>
      <dc:creator>OsburnM</dc:creator>
      <dc:date>2022-11-11T16:17:58Z</dc:date>
    </item>
  </channel>
</rss>

