When it comes to high-speed, near-real-time correlation, nothing comes close to the incredible Events Per Second (EPS) processing rates that QRadar is capable of.
But, just as a Top Fuel Dragster can’t deliver 8,000hp with gasoline, QRadar won’t achieve high EPS performance when fed logs it wasn’t designed to process.
For QRadar administrators, Syslog is a double-edged sword. While this protocol makes it simple to configure a network device to forward logs to QRadar, it makes it equally easy for unwanted logs to be received when endpoints are poorly configured.
At TechXchange Conference 2023, Mark Walborn and I will be hosting a hands-on lab that provides real-world tested practical experience using Rsyslog to resolve common issues that can occur with syslog-based log sources in QRadar SIEM and QRadar Log Insights deployments. Participants will acquire comprehensive knowledge on how to filter unnecessary events, correct broken syslog headers, rewrite, and modify events, and route them to multiple destinations with optional rate limiting. The lab highlights how Rsyslog can enhance log management within your system.
Here are some additional details about our session:
Session Title: Enhancing Log Management with Rsyslog: A QRadar Integration
Session ID: 5288
Date / Time: Monday, Sep 11 2:45 PM - 4:15 PM PDT
Location: MGM Grand Las Vegas, Room TBD
Top 3 issues that will be covered are:
1. Methods to filter unwanted events sent by an endpoint.
2. A solution for sending logs to multiple destinations.
3. Rewriting syslog headers to fix problems and standardize message formatting.
Make sure you register for the TechXchange Conference from Sept 11-Sept 14th in Las Vegas.
Add Session #5288 to your schedule here: Enhancing Log Management with Rsyslog: A QRadar Integration