Edge Delta IBM QRadar Destination

Send logs to an IBM QRadar endpoint.

  5 minute read  

Beta

Overview

The IBM QRadar Node sends items to an IBM QRadar destination over TLS. The items are processed and formatted to be compatible with QRadar’s SIEM system.

  • incoming_data_types: log

Example Configuration

nodes:
  - name: my_ibm_qradar
    type: ibm_qradar_output
    host: 127.0.0.1
    port: 6514
    tls:
      enabled: true
      ignore_certificate_check: true

Required Parameters

name

A descriptive name for the node. This is the name that will appear in Visual Pipelines and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: ibm_qradar_output

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

host

The host parameter defines the IBM QRadar host or IP address. It is specified as a string and is required.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>

port

The port parameter specifies the port number to send logs to the IBM QRadar endpoint. It is an integer and is required.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: 6514

Optional Parameters

pool_size

The pool_size parameter specifies the number of connections to maintain in the connection pool. It is an integer, defaults to 1, and is optional.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
  pool_size: 5

buffer_ttl

The buffer_ttl parameter defines the time-to-live (TTL) for the buffered logs. Logs older than this value will be flushed. It is specified as a duration, defaults to 0 (disabled), and is optional.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
  buffer_ttl: 10m

buffer_path

The buffer_path parameter specifies the directory path where buffered data is stored temporarily. It is specified as a string and is optional.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
  buffer_path: /buffers/qradar

buffer_max_bytesize

The buffer_max_bytesize parameter specifies the maximum size of the buffer in bytes. It is specified as a data size and is optional.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
  buffer_max_bytesize: 512MB

tls

The tls parameter is a dictionary type that enables several options for configuring TLS connections. It is optional.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
  tls:
    <tls options>

enabled The enabled parameter specifies whether TLS is enabled for the connection. It is a Boolean, defaults to false, and is optional.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
  tls:
    enabled: true

ignore_certificate_check The ignore_certificate_check parameter disables the validation of certificates for remote endpoints. It is a Boolean, defaults to false, and is optional.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
  tls:
    ignore_certificate_check: true

ca_file The ca_file parameter specifies the CA certificate file for verifying server certificates. It is a string and optional.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
  tls:
    ca_file: /certs/ca.pem

ca_path The ca_path parameter specifies the directory containing CA certificate files. It is a string and optional.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
  tls:
    ca_path: /certs

crt_file The crt_file parameter specifies the certificate file for client authentication. It is a string and optional.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
  tls:
    crt_file: /certs/client-cert.pem

key_file The key_file parameter specifies the private key file for client authentication. It is a string and optional.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
  tls:
    key_file: /certs/client-key.pem

key_password The key_password parameter specifies the password for the private key file. It is a string and optional.

nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
  tls:
    key_password: <password>

client_auth_type The client_auth_type parameter is a child of the tls parameter. It specifies the authentication type to use for the connection. It is specified as a string from a closed list and is optional.

The following authentication methods are available:

  • noclientcert indicates that no client certificate should be requested during the handshake, and if any certificates are sent they will not be verified.
  • requestclientcert indicates that a client certificate should be requested during the handshake, but does not require that the client send any certificates.
  • requireanyclientcert indicates that a client certificate should be requested during the handshake, and that at least one certificate is required from the client, but that certificate is not required to be valid.
  • verifyclientcertifgiven indicates that a client certificate should be requested during the handshake, but does not require that the client sends a certificate. If the client does send a certificate it is required to be valid.
  • requireandverifyclientcert indicates that a client certificate should be requested during the handshake, and that at least one valid certificate is required to be sent by the client
nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
    tls:
      client_auth_type: <auth type>

max_version The max_version parameter is a child of the tls parameter. It specifies the maximum version of TLS to accept. It is specified as a string and is optional.

You can select one of the following options:

  • TLSv1_0
  • TLSv1_1
  • TLSv1_2
  • TLSv1_3
nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
    tls:
      max_version: <TLS version>

min_version The min_version parameter is a child of the tls parameter. It specifies the minimum version of TLS to accept. It is specified as a string and is optional. The default is TLSv1_2.

You can select one of the following options:

  • TLSv1_0
  • TLSv1_1
  • TLSv1_2
  • TLSv1_3
nodes:
- name: <node name>
  type: ibm_qradar_output
  host: <host>
  port: <port>
    tls:
      min_version: <TLS version>