On this step, you must send two sets of events to QRadar so that QRadar will automatically add two new log sources—one for verification and the other for events from Feed Service.
To add new log sources:
Send the verification/kl_verification_test.txt
file to QRadar as described in the procedure in subsection "Sending a set of events" below.
After you send the verification test file, QRadar will contain the KL_Verification_Tool
log source.
For testing and final adjustments of integration with QRadar, send the integration/sample_initiallog.txt
sample log file to QRadar as described in the procedure in subsection "Sending a set of events" below.
After you send the sample log file, QRadar will contain the KL_Feed_Service_v2
log source.
Up to 25 events can be missed after a new log source is added, according to the QRadar documentation. So you may have to send sample_initiallog.txt several times. This ensures that some events will be displayed by QRadar and handled by Feed Service.
Sending a set of events
To send events to QRadar:
Connection
element of the Log Scanner configuration file, specify the IPv4 address and port of your QRadar server (usually it is 514
).In Linux:
./log_scanner -p <log_file> [-p <log_file2> ...]
In Windows:
log_scanner.exe -p <log_file> [-p <log_file2> ...]
<log_file>
, <log_file2>
are log files to send. Alternatively, you can specify a directory containing log files to send.
A new log source of the Kaspersky CyberTrace
type appears in the log sources list.
Editing a log source