- Site Collector Overview
- Get Started with Site Collectors
- Install Site Collector
- Set Up Collectors
- Sign Up for the Early Access Program: Site Collectors
- Set Up Archive Windows Collector
- Set Up Archive Linux Collector
- Set Up EStreamer Collector
- Set Up Fortinet Collector
- Set Up IBM Security QRadar Collector
- Set Up Kafka Collector
- Set Up Splunk Collector
- Set Up Linux File Collector
- Set Up Microsoft SQL Collector
- Set Up MySQL Collector
- Set Up Oracle Collector
- Set Up Syslog Collector
- Set Up Windows Active Directory Collector
- Set Up Windows Event Log Collector
- Set Up Windows File Collector
- Manage Site Collectors
- Site Collector Monitoring
- Troubleshoot the Site Collector
- Pre-checks failed during Site Collector installation and upgrade
- Site Collector UI shows the status INSTALLATION_ERROR
- Download Support Packages for Troubleshooting
- How to reboot the Virtual Machine (VM) successfully to apply security updates?
- What information must be added while creating a support ticket to resolve an issue?
- Site Collector UI is not displaying the heartbeats
- Splunk Collector can't be set up
- Splunk Collector is set up however, logs are not reaching DL/AA
- Only a few of the installed Splunk Collectors are processing logs or EPS has dropped by 50% as compared to last hour
- The Windows Active Directory Collector (formerly known as LDAP Collector) is set up, however, the context data is not reaching DL/AA
- The Windows Active Directory Collector (formerly known as LDAP Collector) is stuck in the ‘Update’ mode after deployment
- Installation is initiated; however, the collector shows the status as ‘Setting Up’ for some time
- Data Lake and Advanced Analytics Does Not Show Context Data
- Context Data from Windows Active Directory Collector is Segmented
- Minifi Permission Denied - Logback.xml File Missing and Config File Update - Failed Error Occurred while Installing the Windows Event Log Collector
- Where should I upload proxy certificates if I am running proxy with TLS interception?
- How to upgrade Linux collector instance?
Set Up IBM Security QRadar Collector
If you use IBM QRadar as a SIEM, you can set up the IBM Security QRadar collector to retrieve logs from your IBM Security QRadar server. The IBM Security QRadar collector is a set of Site Collector flows, pre-built processors, groups, custom processors, other components, and integrations that pull logs in plain text or JSON format from your IBM Security QRadar server and push the logs to Exabeam Security Operations Platform.
Before setting up the collector, ensure that you have Site Collectors' version 2.0 and above.
To set up a IBM Security QRadar collector:
Log in to the Exabeam Security Operations Platform with your registered credentials.
Navigate to Collectors > Site Collectors.
Ensure that Site Collector 1.6 or a later version is installed and in running state.
On the Site Collector page, click the Collectors Library tab, then click IBM Security QRadar.
In the Definition section, enter the required information as follows.
Collector Name – Specify a name for the IBM Security QRadar collector.
Note
Ensure that you specify different names for Site Collector instance and the collector.
Site Collector Instance – Select the site collector instance for which you want to set up the IBM Security QRadar collector. You can select the site collector instances that belong to Site Collectors 1.16 and later version.
QRadar IP – Enter the IP address of the QRadar server from which you want the QRadar collector to pull logs.
Click Next.
In the Authentication section, enter the required information as follows.
Authentication – Select the authentication method Login Pass or Token for the IBM Security QRadar collector to connect to the sever.
If you select the authentication method Login Pass, enter the user name and password.
Username – Enter the login name and password that you already set for the IBM Security QRadar server.
Password – Enter the login name and password that you already set for the IBM Security QRadar server.
If you select the authentication method Token, enter the token value that you generated from your QRadar server by adding an Authorized Service in QRadar with a user role All. For more information, see Creating an authentication token in the IBM documentation.
In the Data section, enter the required information as follows.
Custom Columns – Enter the column names separated by comma. For example: sourceip,destinationip. Ensure that you exclude the default column names: playload, deviceTime, and startTime for which the collector pulls logs automatically.
QRadar Fetch Timestamp – Select the time and date from when you want the collector to fetch logs. By default current date and time is selected. If you want to select a threshold to include events to be ingested from the past, select a date previous to the present date. You can select a date which is backdated to 30 days.
Where Conditions – Enter the where clause conditions to filter logs to be collected. For more information, see WHERE clause in the IBM documentation.
Click Setup.
The IBM Security QRadar collector is set up and is ready to pull logs from your QRadar server.
After the QRadar collector is set up, Site Collector Core starts pulling logs real-time and uploads logs to Exabeam Security Operations Platform. If the QRadar server is not available, Site Collector core resumes pulling logs from the place where it stopped. Site Collector supports the following three types of logs out of the various types of logs supported by the QRadar server.
Plain text (Syslog one-line events)
JSON (one-line JSONs)
In case of installation failure, the collector is disabled, and the configuration is saved. The status of the collector can be checked on the UI or using the support package.