# Send data to QRadar

{% hint style="info" %}
See the changelog of the **QRadar** Data sink type [here](/data-sinks/qradar-data-sink.md).
{% endhint %}

## Overview

Onum supports integration with [QRadar](https://www.ibm.com/products/qradar).

IBM Security QRadar is a security intelligence platform, specifically a Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution.

## Prerequisites&#x20;

You must know the IP address or hostname of the target QRadar component that will receive the data, typically an Event Collector or the Console itself.

Save these, as you will need to enter them later.

## Onum Setup

{% stepper %}
{% step %}
Log in to your Onum tenant and click **Data Sinks> New Data sink**.
{% endstep %}

{% step %}
Double-click the **QRadar** Sink.
{% endstep %}

{% step %}
Enter a **Name** for the new Data Sink. Optionally, add a **Description** and some **Tags** to identify the Sink.
{% endstep %}

{% step %}
Decide whether or not to include this Data sink info in the metrics and graphs of the [**Home**](/the-workspace/home.md) area.
{% endstep %}

{% step %}
Add the configuration to establish the connection, which will be the **Host**<mark style="color:red;">**\***</mark> IP address or hostname (use *0.0.0.0* to indicate all) and the destination IP **Port**<mark style="color:red;">**\***</mark> number.
{% endstep %}

{% step %}
Now you can configure the specifics of the connection details

* **Network buffer size -** a max size for the network buffer. The minimum value is `-1`.
* **Write timeout -** the number of milliseconds to wait before considering the request a timeout. The minimum value is `1`.
* **Idle timeout -** the milliseconds the connection remains open and idle before it is automatically terminated or closed. The minimum value is `1`.
* **Dial timeout -** the maximum time (in ms) allowed for establishing a connection before the attempt is aborted. The minimum value is `1`.
* **Connection Time to Live -** the maximum duration (in ms) the connection remains active before it is forcibly closed, regardless of whether it is idle or in use. The minimum value is `1`.
  {% endstep %}

{% step %}
If you are using a proxy to establish the connection, toggle on the **Proxy configuration** button and enter the details here:

* **Certificate -** your TLS certificate from your [Secrets](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management) or create one.
* **Private Key -** your private key from your [Secrets](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management) or create one.
* **CA Chain -** your CA chain from your [Secrets](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management) or create one.
* **Skip TLS validations -** decide whether or not to skip TLS validations.
* **Minimum TLS version -** the TLS version to use.
* **Subject alternate name to verify -** if you have assigned your TLS configuration another name, enter it here.
  {% endstep %}

{% step %}
In the [Secrets](/administration/global-settings/organization-settings/secrets-management.md) area, **New secret** to create a new one:

* Give the secret a **Name**.
* Turn off the **Expiration date** option.
* Click **Add new value** and paste the corresponding value.
* Click **Save**.

<figure><picture><source srcset="/files/NeeWsSQzoChVxRIY76Nt" media="(prefers-color-scheme: dark)"><img src="/files/1oTccyPmgZJ1laY7IhZH" alt=""></picture><figcaption></figcaption></figure>

{% hint style="info" %}
Learn more about secrets in Onum in [this article](/administration/global-settings/organization-settings/secrets-management.md).
{% endhint %}

You can now select the created secrets in the configuration.
{% endstep %}
{% endstepper %}

Click **Finish** when complete. Your new Data sink will appear in the **Data sinks** area list.

## Pipeline configuration

When you use this sink in a [Pipeline](/the-workspace/pipelines.md), you can configure the output parameters. This is where you give the message the required format to be processed in Qradar.

### Output configuration

If your message already has the required format, toggle **Passthrough** to send on the message exactly as the sink receives it. Uncheck **Passthrough** to manually format the message:

**Type**

<table><thead><tr><th width="170.3828125">Parameter</th><th>Description</th></tr></thead><tbody><tr><td><strong>Output type</strong></td><td><p>The Syslog format to send in:</p><p></p><ul><li>The original BSD format (<strong>Syslog RFC 3164</strong>)</li><li>The “new” format (<strong>Syslog RFC 5424</strong>)</li></ul><p>If you are unsure about the veracity of the fields you have chosen, you can click <strong>Validate</strong> to check if they are valid. For the <strong>Syslog RCF 3164</strong> type, you have the option to <strong>Auto-fix</strong> the values to correctly populate them.</p></td></tr></tbody></table>

You must select the incoming fields that correspond to each value to build the end message in QRadar. The fields to configure will differ depending on the Syslog type chosen.

{% tabs %}
{% tab title="Syslog RFC 3164" %}
**Header**

Enter the header parameters:

* **Priority**<mark style="color:red;">**\***</mark>/ **Severity** **& Facility**<mark style="color:red;">**\***</mark> - The field corresponding to the Priority OR the fields corresponding to the Severity and Facility that will be used to make the Priority field.
* **Timestamp** - The field containing the timestamp value.
* **Hostname** - The field containing the hostname.

**Message**

Enter the fields used to build the body of the message:

* **Tag -** The field containing the tag.
* **ProcId** - The incoming field with the process ID.
* **Content** - The field used as the content field.

**Test mode**

Decide if you want to send events while they are still processing. This is useful to test the Pipeline without the need for a valid destination.
{% endtab %}

{% tab title="Syslog RFC 5424" %}
**Header**

Enter the header parameters:

* **Priority**<mark style="color:red;">**\***</mark> / **Severity** **&** **Facility**<mark style="color:red;">**\***</mark> - The field corresponding to the Priority OR the fields corresponding to the Severity and Facility that will be used to make the Priority field.
* **Timestamp** - The field containing the timestamp value.
* **Hostname** - The field containing the hostname.
* **Appname** - The field containing the application name.
* **ProcID** - The field containing the Process ID.
* **Message ID** - The field containing the Message ID.

**Structured data**

* **Structured data** - Where to source the structured data from.

**Message**

Enter the fields used to build the body of the message:

* **Message** - The field containing the message body.

**Test mode**

Decide if you want to send events while they are still processing. This is useful to test the Pipeline without the need for a valid destination.
{% endtab %}
{% endtabs %}

Click **Save** to save your configuration.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onum.com/the-workspace/data-sinks/data-sink-integrations/send-data-to-qradar.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.