Configuring your cluster to receive audit logs over TLS

You can configure IBM QRadar to receive audit logs over TLS.

To add a log source to receive events, see Adding a log source to receive events.

Generating self-signed certificates

IBM QRadar TLS syslog needs both public and private keys in the proper format. A custom private key pair must be in DER-encoded PKCS8 format.

Note: Restrict ca cert use. It is used for the TLS log source.

The following process creates private_key.der and public_key.pem.

• public_key.pem can be used as a server certificate. Fluentd (client) will use it as a client cert to send logs over TLS (For proof of concept only)

• private_key.der can be used as a private key

  • openssl genrsa -out /tmp/private_key.pem 2048
  • openssl pkcs8 -topk8 -inform PEM -outform DER -in /tmp/private_key.pem -out /tmp/private_key.der -nocrypt
  • openssl req -new -key /tmp/private_key.pem -out /tmp/csr.pem
  • openssl req -x509 -sha512 -days 365 -in /tmp/csr.pem -key /tmp/private_key.der -keyform DER -out /tmp/public_key.pem

  Note: The common name field is important. Use the host name of the IBM QRadar server.