Hi,
I'm considering to collect events to QRadar SIEM environment from remote and untrusted sites, i.e. untrusted and unreliable (virtual) hardware and unreliable network connectivity. I'm trying to find the best piece of software to use as an "event proxy" to QRadar while keeping good level of operations and security for the whole SIEM environment.
I see four options , none of them being perfect:
- IBM QRadar Data Gateway
- Pros: meets (most) requirements for security and operations
- Cons: only available for QRoC (QRadar-on-Cloud)
- IBM QRadar Event Collector
- Pros: native event collection and parsing
- Cons security: configuration for all log sources is pushed to remote untrusted site, not just site specific log sources
- Cons operations: problems with hardware or network on remote site causes problems to whole QRadar deployment (e.g. during Deploy operations)
- IBM QRadar Disconnected Event Collector
- Pros: local issues do not impact whole QRadar deployment
- Cons: Cannot be centrally managed, only supports syslog for collection (not ODBC, RPC, HTTPS API, etc.)
- non-IBM custom-made event proxy (e.g. LogStash, syslog-ng, etc.)
- Pros: flexible
- Cons operations: software not supported by IBM
- Cons operations: questionable DSM support for the forwarded events (e.g. forwarded csv pulled from a DB via ODBC)
I would appreciate any opinions and experience on this. Thank you!
------------------------------
Martin
------------------------------