Step 2. Sending a set of events to QRadar
On this step, you must send two sets of events to QRadar so that QRadar will automatically add two new log sources—one for verification and the other for events from Feed Service.
To add new log sources:
- Send the verification test log file.
Send the
verification/kl_verification_test.txtfile to QRadar as described in the procedure in subsection "Sending a set of events" below.After you send the verification test file, QRadar will contain the
KL_Verification_Toollog source. - Send the sample log file.
For testing and final adjustments of integration with QRadar, send the
integration/sample_initiallog.txtsample log file to QRadar as described in the procedure in subsection "Sending a set of events" below.After you send the sample log file, QRadar will contain the
KL_Feed_Service_v2log source.Up to 25 events can be missed after a new log source is added, according to the QRadar documentation. So you may have to send sample_initiallog.txt several times. This ensures that some events will be displayed by QRadar and handled by Feed Service.
Sending a set of events
To send events to QRadar:
- In the
Connectionelement of the Log Scanner configuration file, specify the IPv4 address and port of your QRadar server (usually it is514). - Invoke the following command from the Log Scanner directory.
In Linux:
./log_scanner -p <log_file> [-p <log_file2> ...]In Windows:
log_scanner.exe -p <log_file> [-p <log_file2> ...]<log_file>,<log_file2>are log files to send. Alternatively, you can specify a directory containing log files to send. - In QRadar Console (which is the web interface for QRadar), select Admin > Log Sources.
A new log source of the
Kaspersky CyberTracetype appears in the log sources list. - In the settings form of the new log source, clear the Coalescing Events check box and click Save.
Editing a log source
- Deploy the changes by selecting the Admin > Deploy Changes menu item in QRadar Console.