Event collection from third-party devices

To configure event collection from third-party devices, you need to complete configuration tasks on the third-party device, and your QRadar® Console, Event Collector, or Event Processor. The key components that work together to collect events from third-party devices are log sources, DSMs, and automatic updates.

Log sources

A log source is any external device, system, or cloud service that is configured to either send events to your IBM® QRadar system or be collected by your QRadar system. QRadar shows events from log sources in the Log Activity tab.

To receive raw events from log sources, QRadar supports several protocols, including syslog from OS, applications, firewalls, IPS/IDS, SNMP, SOAP, JDBC for data from database tables and views. QRadar also supports proprietary vendor-specific protocols such as OPSEC/LEA from Checkpoint.

DSMs

A Device Support Module (DSM) is a code module that parses received events from multiple log sources and converts them to a standard taxonomy format that can be displayed as output. Each type of log source has a corresponding DSM. For example, the IBM Fiberlink MaaS360 DSM parses and normalizes events from an IBM Fiberlink MaaS360 log source.

Automatic Updates

QRadar provides daily and weekly automatic updates on a recurring schedule. The weekly automatic update includes new DSM releases, corrections to parsing issues, and protocol updates. For more information about automatic updates, see the IBM QRadar Administration Guide.

Third-party device installation process

To collect events from third-party device, you must complete installation and configuration steps on both the log source device and your QRadar system. For some third-party devices, extra configuration steps are needed, such as configuring a certificate to enable communication between that device and QRadar.

The following steps represent a typical installation process:
  1. Read the specific instructions for how to integrate your third-party device.
  2. Download and install the RPM for your third-party device. RPMs are available for download from the IBM support website (http://www.ibm.com/support).
    Tip: If your QRadar system is configured to accept automatic updates, this step might not be required.
  3. Configure the third-party device to send events to QRadar.

    After some events are received, QRadar automatically detects some third-party devices and creates a log source configuration. The log source is listed on the Log Sources list and contains default information. You can customize the information.

  4. If QRadar does not automatically detect the log source, manually add a log source. The list of supported DSMs and the device-specific topics indicate which third-party devices are not automatically detected.
  5. Deploy the configuration changes and restart your web services.

Custom log source types for unsupported third-party log sources

After the events are collected and before the correlation can begin, individual events from your devices must be properly normalized. Normalization means to map information to common field names, such as event name, IP addresses, protocol, and ports. If an enterprise network has one or more network or security devices that QRadar does not provide a corresponding DSM, you can use a custom log source type. QRadar can integrate with most devices and any common protocol sources by using a custom log source type.

For more information, see the IBM QRadar Administration Guide.