Configuring logging settings for IBM QRadar

IBM Security QRadar consolidates log source event data from multiple devices and applications that are distributed throughout a network. If you are using IBM Security QRadar, you can send the IBM Cloud Pak System Software log files to the QRadar server to be stored for future reference.

Before you begin

Ensure that the following requirements are met:
  • You must be assigned the Hardware administration role with permission to Manage hardware resources (Full permission) to perform these steps.
  • You completed the QRadar configuration steps in the following procedure. If you are using multiple Platform System Managers, the configuration must be completed for both the primary and secondary Platform System Managers.
    1. On the QRadar server, click the Admin tab, and click Data Sources > Log Sources.
    2. In the window that is displayed, click Add and enter values for the following fields:
      • Log Source Name: Enter the host name of the Cloud Pak System Software server
      • Log Source Type: Enter Linux OS.
      • Protocol Configuration: Enter Syslog.
      • Log Source Identifier: Enter the IP address of the Cloud Pak System Software server.

        To find the IP addresses of the primary and secondary Platform System Managers, click System > Network Configuration page and expand the System Management IP section. The Platform System Manager floating IP address (the same one used in the browser) is the IP address for the primary Platform System Manager.

    3. For all other selections, accept the default values.

About this task

If you are using multiple Platform System Managers, the log files for both the primary and secondary Platform System Managers are sent.

Procedure

  1. Click System > System Settings.
  2. Expand Log Management.
  3. If you want to delete all log files on Platform System Manager that are older than 90 days, select the Maximum number of days to retain log files: 90 check box.
  4. If you want to forward the log files to a remote destination, such as a QRadar server, in the Destination address (IPv4 or FQDN) field, enter the IP address or the fully qualified domain name of the QRadar server.
  5. Select all log files, or one or more types of log files from the available log categories.
    If you select the Security logs category, the audit log files are sent.
  6. Click Save and the log files are sent to the QRadar server.
    When a new line is added to a log file, it is also sent to the QRadar server for future reference.

Results

When QRadar logging is enabled for the first time, or if it is re-enabled after a while, a large volume of messages might be sent to the QRadar server. This large volume is a result of sending all messages that were accumulated between the last time they were sent and the current time. After all accumulated messages are sent, the volume changes to new messages only, as they are received.

Depending on the maximum volume that is allowed by the license, the large volume sent might exceed the standard QRadar license. If this situation arises, QRadar discards all messages that exceed the licensed volume. This process continues until all accumulated lines in all log files are sent.

Typically, a standard license can handle log messages in a steady state, where new lines are being sent as they are added. For larger volumes of log files, a larger QRadar license might be required.