Hi Niv,
It sounds liek you already have a routing rule+forwarding destination configured to forward data from QRadar to the other SIEM. But is this routing rule configured in online or offline mode? Online mode means it happens in real-time, while the event is still "in flight" within the QRadar event pipeline (pre-storage). This method of forwarding is best-effort in that no retries are attempted if the forwarding destination is unavailable, meaning the data will be lost if the target system is down.
However if you use offline mode instead, then a separate process is used to read the data from storage and send it to the target destination. If the destination is unavailable, it will keep trying until it is available, which will prevent that data from being lost. Once the connection is back up, the offline forwarder will eventually catch up to the real time ingestion.
The next best alternative I can think of would be to manually export the raw payloads from the system that were collected during the connection outage , and replay them at the other SIEM once the outage is over. This can be done with the "logrun" tool present on every QRadar system in /opt/qradar/bin/
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
------------------------------
Original Message:
Sent: Sun April 23, 2023 01:31 AM
From: Niv Lee
Subject: Resent old payload to other SIEM system
Is there possible to sent old payloads to another SIEM system?
Situation is we had configured forwarding destination (TCP mode) to another SIEM system. but the connection to another SIEM system will have monthly downtime for maintenance. the maintenance will take 3-4 hours.
We would like to re-sent the payloads (within the downtime period logs) back to the another SIEM system?
------------------------------
Niv Lee
------------------------------