Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Adding Forwarding Destinations

Before you can configure bulk or selective data forwarding, you must add a forwarding destination. Normalized events that you forward can be interpreted only by other JSA systems.

Note:

You cannot forward data to systems that use dynamic IP addresses. The connection is established when the service starts, and changes to the IP address are not detected until the service restarts. The forwarding destination must have a static IP address.

  1. On the navigation menu (), click Admin.
  2. In the System Configuration section, click Forwarding Destinations.
  3. On the toolbar, click Add.
  4. In the Forwarding Destinations window, enter values for the parameters.

    The following table describes some of the Forwarding Destinations parameters.

    Table 1: Forwarding Destinations Parameters

    Parameter

    Description

    Event Format

    • Payload is the data in the format that the log source or flow source sent.

      If you select this option, ensure that port 514 is open.

    • Normalized is raw data that is parsed and prepared as readable information for the user interface. If you select this option, ensure that ports 32000 and 32004 are open.

    • JSON (Javascript Object Notation) is a data-interchange format.

      If you select this option, ensure that port 5141 is open.

    Destination Address

    The IP address or host name of the vendor system that you want to forward data to.

    Protocol

    Use the TCP protocol to send normalized data by using the TCP protocol. You must create an off-site source at the destination address on port 32004 for events, or on port 32000 for flows.

    Use the TCP over SSL protocol to send normalized data securely by using the TCP protocol with an SSL certificate.

    Note:

    You cannot transmit normalized and JSON data by using the UDP protocol. If you select the Normalized or JSON options, the UDP option in the Protocol list is disabled.

    Prefix a syslog header if it is missing or invalid

    Applicable only when the event format is Payload.

    When JSA forwards syslog messages, the outbound message is verified to ensure that it has a valid syslog header.

    If a valid syslog header is not detected on the original syslog message and this checkbox is selected, the prefixed syslog header includes the originating IP address from the packet that JSA received in the Hostname field of the syslog header. If this checkbox is not selected, the data is sent unmodified.

  5. Optional: If you are using the TCP over SSL protocol, do the following:
    1. From the command line of the event collector or processor that uses the routing rule to forward data, change the directory to /tmp.

    2. Run the following command: /opt/qradar/bin/getcert.sh tlssyslog_server_iptlssyslog_port

      A copy of the client certificate is downloaded from the target system and is titled with the IP and port you downloaded it from.

    3. Move the certificate to /opt/qradar/conf/trusted_certificates/

    4. If the certificate was signed by a commercial or private certificate authority (CA), copy the root CA and intermediate certificates to /etc/pki/ca-trust/source/anchors

    5. Run the following command: update-ca-trust

  6. Click Save.

Setting up a forwarding destination does not automatically send data to that destination. You must configure either a routing rule or a custom rule to forward data to the destination.