QRadar SIEM Integration Prerequisites

Data Collection Methods supported from Arista VeloCloud

VeloCloud consists of multiple services. In this guide, we will describe integration between the SD-WAN Edge appliances and QRadar SIEM, using Syslog and IPFIX Data. Other types of integrations might be delivered in the future. This guide will use the following network connectivity between Edges and QRadar Collector Nodes

Software Version Matrix

The following table shows the versions of both VeloCloud and QRadar used in this guide:

QRadar SIEM Device Support Module (DSM) for VeloCloud

The QRadar DSM (Device Support Module) software component lets QRadar collect data from various devices, such as firewalls, intrusion detection systems, and web proxies. The DSM provides a standardized interface for collecting data from these devices, which makes it easier for QRadar to ingest and analyze the data.

The QRadar DSM also has many features that help improve the performance of QRadar, such as data compression and filtering. This can help reduce the amount of data that QRadar needs to store and process, which can improve the system's performance.

For VeloCloud, you can download proprietary DSM modules from the Arista Developer portal or X-Force App Exchange. The DSM modules make sure that QRadar can format and display messages from VeloCloud services such as Edge devices. The DSM also contains event mappings to inject various VeloCloud events in a standard format message in your enterprise’s overall IT security ecosystem.

QRadar SIEM License Requirements

Make sure the event collectors that collect logs and flow data have enough license allocations in QRadar. After you onboard the service, monitor the license requirements and adjust allocations as needed under (QRadar) Admin > System > System and License Management > License Pool Management .

See this KB Article for more information on event and flow capacity management.