IBM Security QRadar

 View Only
  • 1.  Is it possible to connect a DLC to syslog-ng by TLS?

    Posted Thu November 10, 2022 05:54 AM
    Hello,

    I have a syslog-ng server, is it possible to connect a QRadar DLC to it using TLS?

    Thanks.
    Regards.

    ------------------------------
    Bit1290
    ------------------------------


  • 2.  RE: Is it possible to connect a DLC to syslog-ng by TLS?

    Posted Thu November 10, 2022 09:29 AM

    We have a support technical note to outline how to connect WinCollect events to a DLC with the TLS Syslog protocol here: https://www.ibm.com/support/pages/node/6551380

    Note: WinCollect and DLC is not a tested configuration, which is why the article is written the way it is. However, the procedure would be similar similar, so you could use this as an overview.

    DLC supports TLS Syslog, but we do not describe the Syslog-ng side of the configuration. We do have a more detailed walkthrough on how to setup TLS Syslog with DLC and certificates that you might find helpful here too: https://www.ibm.com/support/pages/node/6461943.



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------



  • 3.  RE: Is it possible to connect a DLC to syslog-ng by TLS?

    Posted Thu November 10, 2022 09:43 AM
    Hello Jonathan,

    Thak you very much for you reply.
    I forgot to mention that the goal is to connect the DLC to the Syslog-NG server, like we do to connect a DLC to QRadar (but instead the QRadar we have a syslog-ng server to forward the logs from the DLC).

    Best regards.

    ------------------------------
    Bit1290
    ------------------------------



  • 4.  RE: Is it possible to connect a DLC to syslog-ng by TLS?

    Posted Thu November 10, 2022 12:19 PM

    Disconnected Log Collector appliances are essentially Event Collector appliances in an RPM. They are intended only to forward data to QRadar appliances and connect to the ecs-ep service that would be running on a Console or Event Processor appliance. The final destination must be QRadar and you cannot send events to a standard Syslog listener, such as Syslog-ng as the DLC is receiving and expects to hand off events to a QRadar service, which would not exist on the Syslog-ng appliance.

    The receiver must be a QRadar Console or Event Processor as described in this image from the documentation:

    Disconnected Log Collector



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------



  • 5.  RE: Is it possible to connect a DLC to syslog-ng by TLS?

    Posted Thu November 10, 2022 12:35 PM
    Hello Jonathan,

    Thank you so much for your support.

    Best regards.

    ------------------------------
    Bit1290
    ------------------------------