We are attempting to forward logs from LEM to QRadar because of bandwidth concerns. Previously, we used IBM's WinCollect agent to send them directly to the QRadar collectors. However, the subsidiary that we support is asking if they can forward their logs going to LEM to QRadar directly to save on some bandwidth. We have setup log forwarding but it appears as though LEM is normalizing and adding foreign fields to the syslog instead of forwarding the Windows Security and Events log direct without normalization.
Is there an easy way to do this without redeveloping one or both solutions?