To create a Syslog Log Source for IBM QRadar, perform the following procedure.

Procedure

  1. Open the QRadar console.
  2. Go to Admin > QRadar Log Source Management.
  3. In the pop-up window, click Log Sources.
  4. Select Single Log Source.
  5. In the search field, enter and select Carbon Black Cloud.
  6. Click Step2: Select Protocol Type.
  7. In the search field, enter and select Syslog.
  8. Click Step3: Configure Log Source Parameters.
  9. Enter a unique Name and optionally change predefined parameters.

    Syslog Log Source parameters

    Note:

    The default value for Coalescing Events is Enabled. Coalescing Events means that when a log source emits multiple similar events in a short time span, they are aggregated. The event count of the single event reflects the number of events that have been aggregated. This feature reduces the storage cost of events. If you want separate events in QRadar for similar alerts, you can disable this option.

  10. Click Step 4:Configure Protocol Parameters.
  11. Enter a unique Log Source Identifier and click Finish.
  12. In the Notification pop-up window in the Admin tab, click Deploy Changes.
  13. Enter the Log Source Identifier from Step 11.