I am new to qradar, stuck up in below scenario. Any help/information would be appreciated.
“We have deploy syslog server to sent the logs towards qradar. The log sources (firewall ASA) configured to send the logs towards syslog server and then syslog server configure (via rsyslog.conf) to send the logs towards qradar. Its working fine, qradar able to autodiscover the log sources”
The question here is:
Once the log source is autodiscover, if we are tuning the logs in syslog server, we are not able to see the changes in qradar though in syslog server (in this case we are tuning/filtering unwanted logs). Also observed that once the log source is autodiscover, even if we stop the rsyslog service or remove the forwarding in syslog server, we still sees the logs from log source in Qradar.
**Is, this how qradar autodiscover works ?
Can we not filter/tune the logs in syslog server itself ? and filtered logs can pass towards qradar?**
What alternatives, in this scenario ?