IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Expand all | Collapse all

Correlate Two Log Sources

  • 1.  Correlate Two Log Sources

    Posted Wed October 21, 2020 11:11 AM

    Hello,

    We've communication coming from the internet to a reverse-proxy (fortigate firewall) and the traffic is forwarded to an IIS server. When the traffic is presented to the IIS server, the source IP is the reverse proxy IP.

    So we would like to understand how we should join the two event to know the exactly public IP accessing the server.



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Correlate Two Log Sources

    Posted Thu November 26, 2020 04:55 PM

    Hello,

    You could enable X-Forwarded-For in your Reverse Proxy.

    This would enable you to get the public source IP address forwarded in the HTTP header to IIS hence made available directly (usually by default) in IIS events logs.

    Regards



    #QRadar
    #Support
    #SupportMigration