Most Qradar customers are using Syslog LEEF Via UDP as the output. Some others use the Syslog LEEF file output. UDP and TCP both have their own advantages and disadvantages. Just the other day on a call a customer was saying who would want to use TCP over UDP. So each to his own I guess.
Regarding the CEF and LEEF formats, CEF was required when we integrated with Arcsight ESM in order for us to get CEF certified by Arcsight for use with their SIEM. IBM asked us to add LEEF as an output for Qradar when we integrated with them. Hence the various outputs.
I’m not a Qradar expert but here is what a couple of customers have done to get the flat file LEEF data in to Qradar using Wincollect:
The best way we’ve figured out is to dump LogBinder output to file (LEEF) and transfer information via WinCollect FileForwarder log source (Wincollect should be configured to use TCP destination)
In next step you should change the value called “Max TCP Syslog Payload Length” on QRadar. LogBinder audit events may be huge, so it’s wise to set it to 8192 (default varies from 2048 to 4096)
That value is seen in www interface (version 7.2.6 and higher) or in /opt/qradar/conf/templates/configservice/pluggablesources/TCPSyslog.vm file in 4096
section. Value change requires full deploy.