IBM Security QRadar

 View Only

QRadar’s Gateway Log Source Methodologies

By Sophia Sampath posted Mon September 30, 2019 02:24 PM

  

Gateway Log Source Methodologies - Overview


Many QRadar protocol sources that support collecting data streams that potentially contain data from multiple sources support the “Gateway Log Source” parameter. The following protocol sources are:

  • Amazon AWS S3 REST API
  • Amazon Web Services
  • Apache Kafka
  • Syslog Redirect (who’s sole purpose is to do this)
  • TCP Multiline
  • UDP Multiline

 


This allows you to split the logs back out into multiple log sources even though the data may have been aggregated into a single stream or is being collected by a single log source.

 

Log sources for the dynamic log source identifiers used are either automatically created (if the target DSM supports Traffic Analysis) or may be manually created with the specific DSM type and as Protocol type Syslog.

Gateway Log Sources can be used in one of 3 models:

 

Fan:

  • One Protocol log source creating or targeting multiple log sources


 

Funnel:

  • Multiple protocol sources feeding a single destination log source

 




Fan and Funnel (Fannel):

  • Implements both the performance aspect of multiple log sources (funnel) with the autocreation or multiple destination log source aspect as well (fan).

 

 

1 comment
71 views

Permalink

Comments

FDX Networks
Tue January 03, 2023 12:07 AM

I am using that function.
(Using Amazon AWS WAF DSM)

The log source is not created automatically, the log source type is imported as SIM GENERIC. When creating a log source manually, do I need to set the log source type and protocol type the same as the existing log source?