Multiple log sources over TLS Syslog

You can configure multiple devices in your network to send encrypted Syslog events to a single TLS Syslog listen port. The TLS Syslog listener acts as a gateway, decrypts the event data, and feeds it within QRadar® to extra log sources configured with the Syslog protocol.

When using the TLS Syslog protocol, there are specific parameters that you must use.

Multiple devices within your network that support TLS-encrypted Syslog can send encrypted events via a TCP connection to the TLS Syslog listen port. These encrypted events are decrypted by the TLS Syslog (gateway) and are injected into the event pipeline. The decrypted events get routed to the appropriate receiver log sources or to the traffic analysis engine for autodiscovery.

Events are routed within QRadar to log sources with a Log Source Identifier value that matches the source value of an event. For Syslog events with an RFC3164-, or RFC5425-, or RFC5424-compliant Syslog header, the source value is the IP address or the host name from the header. For events that do not have a compliant header, the source value is the IP address of the device that sent the Syslog event.

On QRadar, you can configure multiple log sources with the Syslog protocol to receive encrypted events that are sent to a single TLS Syslog listen port from multiple devices.

Note: Most TLS-enabled clients require the target server or listener's public certificate to authenticate the server's connection. By default, a TLS Syslog log source generates a certificate that is named syslog-tls.cert in /opt/qradar/conf/trusted_certificates/ on the target Event Collector that the log source is assigned to. This certificate file must be copied to all clients that are making a TLS connection.

To add a log source over TLS Syslog, go to Adding a log source.

Note: You need to repeat the procedure for adding a log source for each device in your network. You can also add multiple receiver log sources in bulk from the Log Sources window. See Adding bulk log sources.