JDBC protocol configuration options
QRadar® uses the JDBC protocol to collect information from tables or views that contain event data from several database types.
The JDBC protocol is an outbound/active protocol. QRadar does not include a MySQL driver for JDBC. If you are using a DSM or protocol that requires a MySQL JDBC driver, you must download and install the platform-independent MySQL Connector/J from http://dev.mysql.com/downloads/connector/j/.
- Copy the Java™ archive (JAR) file to /opt/qradar/jars and /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/.
- Restart Tomcat service by typing the following
command:
systemctl restart tomcat - Restart event collection services by typing the following command:
systemctl restart ecs-ec-ingress
| Parameter | Description |
|---|---|
| Log Source Name | Type a unique name for the log source. |
| Log Source Description (Optional) | Type a description for the log source. |
| Log Source Type | Select your Device Support Module (DSM) that uses the JDBC protocol from the Log Source Type list. |
| Protocol Configuration | JDBC |
| Log Source Identifier |
Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol. If the log source collects events from a single appliance that has a static IP address or hostname, use the IP address or hostname of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or hostname, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2. |
| Database Type | Select the type of database that contains the events. |
| Database Name | The name of the database to which you want to connect. |
| Schema (Snowflake only) | This parameter specifies either the default schema to be used for the
specified database post connection, or an empty string. The specified schema must be an existing schema for which the specified default role has privileges. |
| IP or Hostname | The IP address or hostname of the database server. |
| Warehouse (Snowflake only) | This parameter specifies the virtual warehouse to use post connection, or an
empty string. The specified warehouse must be an existing warehouse for which the specified default role has privileges. |
| Role (Snowflake only) | This parameter specifies the default access control role to be used in the
Snowflake session initiated by the driver. The specified role must be an existing role that is already assigned to the specified user for the driver. If the specified role is not assigned to the user, then the role is not used during the session initiation by the driver. |
| Port |
Enter the JDBC port. The JDBC port must match the listener port that is configured on the remote database. The database must permit incoming TCP connections. The valid range is 1 - 65535. The defaults are:
If you configure the Database Instance parameter and have an MSDE database type, leave the Port parameter blank. |
| Username | A user account for QRadar in the database. |
| Password | The password that is required to connect to the database. |
| Confirm Password | The password that is required to connect to the database. |
| Authentication Domain (MSDE only) |
If you disable Use Microsoft JDBC, the Authentication Domain parameter is displayed. The domain for MSDE that is a Windows domain. If your network does not use a domain, leave this field blank. |
| Database Instance (MSDE or Informix only) |
The database instance, if required. MSDE databases can include multiple SQL server instances on one server. When you use a different port number from the default for SQL database resolution, leave this parameter blank. |
| Predefined Query (Optional) |
Select a predefined database query for the log source. If a predefined query is not available for the log source type, you can select the None option. If the configuration guide for a specific integration states to use a predefined query, choose it from the list. Otherwise, select None and populate the remaining required values. |
| Table Name | The name of the table or view that includes the event records. The table name can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period (.). |
| Select List | The list of fields to include when the table is polled for events. You can use a comma-separated list or type an asterisk (*) to select all fields from the table or view. If you defined a comma-separated list, the list must contain the field that is defined in the Compare Field parameter. |
| Compare Field |
A numeric value or time stamp field from the table or view that identifies new events that are added to the table between queries. When you set this parameter value, the protocol identifies events that were previously pulled by the protocol to ensure that duplicate events are not created. |
| Use Prepared Statements | Prepared statements enable the JDBC protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most JDBC protocol configurations can use prepared statements. |
| Start Date and Time (Optional) |
Select or enter the start date and time for database polling. The format is yyyy-mm-dd HH:mm, where HH is specified by using a 24-hour clock. If this parameter is empty, polling begins immediately and repeats at the specified polling interval. This parameter is used to set the time and date at which the protocol connects to the target database to initialize event collection. It can be used along with the Polling Interval parameter to configure specific schedules for the database polls. For example, use these parameters to ensure that the poll happens at five minutes past the hour, every hour, or to ensure that the poll happens at exactly 1:00 AM each day. This parameter cannot be used to retrieve older table rows from the target database. For example, if you set the parameter to Last Week, the protocol does not retrieve all table rows from the previous week. The protocol retrieves rows that are newer than the maximum value of the Compare Field on initial connection. |
| Polling Interval |
Enter the amount of time between queries to the event table. To define a longer polling interval, append H for hours or M for minutes to the numeric value. The maximum polling interval is one week. |
| EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The valid range is 100 to 20,000. |
| Security Mechanism (Db2 only) |
From the list, select the security mechanism that is supported by your Db2 server. If you don't want to select a security mechanism, select None. The default is None. For more information about security mechanisms that are supported by Db2 environments, see the IBM® Support website (https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.apdv.java.doc/src/tpc/imjcc_cjvjcsec.html) |
| Use Named Pipe Communication (MSDE only) |
If you disable Use Microsoft JDBC, the Use Named Pipe Communication parameter is displayed. MSDE databases require the user name and password field to use a Windows authentication user name and password and not the database user name and password. The log source configuration must use the default that is named pipe on the MSDE database. |
| Database Cluster Name |
If you are running your SQL server in a cluster environment, define the cluster name to ensure named pipe communication functions properly. This parameter is required if you enable Use Named Pipe Communication and select the MSDE database type option. |
| Use NTLMv2 (MSDE only) |
If you disable Use Microsoft JDBC, the Use NTLMv2 parameter is displayed. Select this option if you want MSDE connections to use the NTLMv2 protocol when they are communicating with SQL servers that require NTLMv2 authentication. This option does not interrupt communications for MSDE connections that do not require NTLMv2 authentication. Does not interrupt communications for MSDE connections that do not require NTLMv2 authentication. |
| Use Microsoft JDBC (MSDE only) |
If you want to use the Microsoft JDBC driver, you must enable Use Microsoft JDBC. This parameter is enabled by default. |
| Use SSL (MSDE only) | Enable this option if your MSDE connection supports SSL. |
| SSL Certificate Hostname |
This field is required when both Use Microsoft JDBC and Use SSL are enabled. This value must be the fully qualified domain name (FQDN) for the host. The IP address is not permitted. For more information about SSL certificates and JDBC, see the procedures at the following links:
|
| Use Oracle Encryption(Oracle only) |
Oracle Encryption and Data Integrity settings is also known as Oracle Advanced Security. If selected, Oracle JDBC connections require the server to support similar Oracle Data Encryption settings as the client. |
| Database Locale (Informix only) |
For multilingual installations, specify the language to use for the installation process (or software?). After you choose a language, you can then choose the character set that is used in the installation in the Code-Set parameter. |
| Code-Set (Informix only) | The Code-Set parameter displays after you choose a
language for multilingual installations. Use this field to specify the character set to use. |
| Enabled | Select this checkbox to enable the log source. By default, the checkbox is selected. |
| Credibility |
From the list, select the Credibility of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5. |
| Target Event Collector | Select the Target Event Collector to use as the target for the log source. |
| Coalescing Events |
Select the Coalescing Events checkbox to enable the log source to coalesce (bundle) events. By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in QRadar. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source. |
| Store Event Payload |
Select the Store Event Payload checkbox to enable the log source to store event payload information. By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in QRadar. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source. |
| Enable Advanced Options |
Select this checkbox to enable advanced options. When disabled, the default value is used. |
| Use With (No Lock) in SQL statements |
Enable this option to append the tables in all SQL statements with "WITH (NOLOCK)". |