Adding Feed Service as a log source

QRadar must treat Feed Service as a log source to receive the events sent by the service. The events sent by Feed Service are in the QRadar Log Event Extended Format (LEEF) format, and the new log source in QRadar will be a Universal LEEF log source.

To add Feed Service to QRadar as a log source:

  1. Select the Admin > Log Sources > Add menu item.
  2. In the Add a log source window, type a unique name for the log source.

    This name will be displayed in the GUI for any event from this source.

  3. Type the description of the log source.
  4. Select Universal LEEF in the Log Source Type control.
  5. Select "Syslog" in the Protocol Configuration drop-down list.
  6. In the Log Source Identifier text box, type the identifier that is set in the Feed Service configuration file—in our case, it is KL_Threat_Feed_Service_v2. This identifier is used in the EventFormat and AlertFormat parameters.

    Do not select the Coalescing Events check box. If you select it, all the events from Feed Service will coalesce into a single event that will contain no useful information.

    03

    Adding a log source to QRadar

  7. Click Save.

Perform the same actions to add another log source with the KL_Verification_Tool identifier. It will be used for testing the interaction between Feed Service and QRadar.

After the two log sources are added, select the Admin > Deploy Changes menu item.

Page top