# QRadar

### Overview

Keeper supports event streaming into IBM QRadar deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

<figure><img src="https://4290574019-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LO5CAzpxoaEquZJBpYz%2Fuploads%2FtY6DFoNgiAJvZSOz88l5%2Fimage.png?alt=media&#x26;token=67a7e1d2-3676-494e-bee0-6c13cc4bc813" alt=""><figcaption><p>QRadar Push Integration Settings</p></figcaption></figure>

QRadar uses a standard "Syslog" push capability over TCP.

**Ports**\
TCP Ports 514 and 6514 (TLS)

**Fields Exported**\
"audit\_event", "username", "client\_version", "remote\_address", "channel", "result\_code", "email", "to\_username", "client\_version\_new","username\_new", "file\_format", "record\_uid", "folder\_uid", "folder\_type", "shared\_folder\_uid", "attachment\_id", "team\_uid", "role\_id"

**Example Payload**

{% code overflow="wrap" %}

```
<165>1 2022-10-13T21:05:51.996Z yourLogSourceID keeper - - - {"record_uid":"XXX","audit_event":"fast_fill","remote_address":"12.34.56.78","category":"usage","client_version":"Browser Extensions.16.4.7","username":"user@company.com","enterprise_id":123456}
```

{% endcode %}

{% hint style="info" %}
Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate.\
\
Also, ensure that your QRadar server allows traffic from Keeper servers. See [Firewall Configuration](https://docs.keeper.io/en/enterprise-guide/event-reporting/firewall) page.
{% endhint %}