Setting up TLS over TCP communication with QRadar

Transport Layer Security over the Transmission Control Protocol (TLS over TCP) provides encrypted and authenticated communication between IBM Disconnected Log Collector and IBM QRadar.

Before you begin

TLS over TCP requires certificate-based authentication between Disconnected Log Collector and QRadar. For more information, see Setting up certificate-based authentication on Disconnected Log Collector and Setting up certificate-based authentication on QRadar.

Restriction: UDP is not supported by QRadar on Cloud.

Procedure

  1. Log in to the Disconnected Log Collector computer or VM as the root user.
  2. Open the /opt/ibm/si/services/dlc/conf/config.json file in a text editor.
  3. In the destination.type parameter, enter TLS (this parameter was set by the certificate-based authentication procedure): 
    'destination.type': 'TLS'
  4. In the destination.ip parameter, enter the IP address or the fully qualified domain name (FQDN) for the Event Collector, Event Processor, or QRadar Console that receives events from the Disconnected Log Collector instance. For example: 
    'destination.ip':'192.0.2.0'
  5. Save and close the config.json file.
  6. Restart Disconnected Log Collector by typing the following command: 
    systemctl restart dlc

What to do next

Go to Add Disconnected Log Collector as a log source in QRadar.