IBM QRadar

DSM Configuration GuideDecember 2019

IBM

Note

Before using this information and the product that it supports, read the information in “Notices” onpage 1243.

Product information

This document applies to IBM® QRadar® Security Intelligence Platform V7.2.1 and subsequent releases unlesssuperseded by an updated version of this document.© Copyright International Business Machines Corporation 2005, 2019.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.

Contents

About this DSM Configuration Guide.................................................................. xxix

Part 1. QRadar DSM installation and log source management..................................1

Chapter 1. Event collection from third-party devices.................................................................................3Adding a DSM..........................................................................................................................................4Adding a log source................................................................................................................................ 4Adding bulk log sources......................................................................................................................... 6Adding a log source parsing order......................................................................................................... 7

Chapter 2. Threat use cases by log source type......................................................................................... 9

Chapter 3. Troubleshooting DSMs.............................................................................................................21

Part 2. Log sources.............................................................................................. 23

Chapter 4. Introduction to log source management................................................................................ 25

Chapter 5. Adding a log source................................................................................................................. 27Adding a log source.............................................................................................................................. 28Adding a log source in the QRadar Log Source Management app...................................................... 28

Chapter 6. Undocumented Protocols........................................................................................................29Configuring an undocumented protocol.............................................................................................. 29

Chapter 7. Protocol configuration options................................................................................................ 31Akamai Kona REST API protocol configuration options......................................................................31Amazon AWS S3 REST API protocol configuration options................................................................ 32Amazon Web Services protocol configuration options....................................................................... 37Apache Kafka protocol configuration options..................................................................................... 45

Configuring Apache Kafka to enable Client Authentication.......................................................... 48Configuring Apache Kafka to enable SASL Authentication............................................................51Troubleshooting Apache Kafka ..................................................................................................... 53

Blue Coat Web Security Service REST API protocol configuration options........................................53Centrify Redrock REST API protocol configuration options................................................................54Cisco Firepower eStreamer protocol configuration options............................................................... 55Cisco NSEL protocol configuration options......................................................................................... 56EMC VMware protocol configuration options...................................................................................... 57Forwarded protocol configuration options.......................................................................................... 58Google G Suite Activity Reports REST API protocol options...............................................................58HTTP Receiver protocol configuration options....................................................................................59IBM BigFix SOAP protocol configuration options................................................................................59JDBC protocol configuration options...................................................................................................60JDBC - SiteProtector protocol configuration options..........................................................................64Juniper Networks NSM protocol configuration options...................................................................... 66Juniper Security Binary Log Collector protocol configuration options............................................... 66Log File protocol configuration options............................................................................................... 67Microsoft Azure Event Hubs protocol configuration options.............................................................. 68Microsoft DHCP protocol configuration options..................................................................................70Microsoft Exchange protocol configuration options............................................................................72

iii

Microsoft IIS protocol configuration options...................................................................................... 74Microsoft Security Event Log protocol configuration options............................................................. 76

Microsoft Security Event Log over MSRPC Protocol...................................................................... 76MQ protocol configuration options...................................................................................................... 80Okta REST API protocol configuration options................................................................................... 81OPSEC/LEA protocol configuration options.........................................................................................81Oracle Database Listener protocol configuration options.................................................................. 83PCAP Syslog Combination protocol configuration options................................................................. 84SDEE protocol configuration options...................................................................................................86SMB Tail protocol configuration options............................................................................................. 87SNMPv2 protocol configuration options..............................................................................................88SNMPv3 protocol configuration options..............................................................................................89Seculert Protection REST API protocol configuration options............................................................89Sophos Enterprise Console JDBC protocol configuration options......................................................91Sourcefire Defense Center eStreamer protocol options.....................................................................93Syslog Redirect protocol overview...................................................................................................... 93TCP multiline syslog protocol configuration options...........................................................................93TLS syslog protocol configuration options.......................................................................................... 98

Configuring multiple log sources over TLS syslog....................................................................... 100UDP multiline syslog protocol configuration options........................................................................101

Configuring UDP multiline syslog for Cisco ACS appliances....................................................... 104VMware vCloud Director protocol configuration options..................................................................105

Chapter 8. Adding bulk log sources........................................................................................................ 107

Chapter 9. Editing bulk log sources........................................................................................................ 109

Chapter 10. Adding a log source parsing order...................................................................................... 111

Chapter 11. Log source extensions.........................................................................................................113Building a Universal DSM .................................................................................................................. 113Exporting the logs ..............................................................................................................................114Examples of log source extensions on QRadar forum ..................................................................... 115Patterns in log source extension documents.................................................................................... 116Match groups .....................................................................................................................................116

Matcher (matcher)........................................................................................................................ 117JSON matcher (json-matcher)..................................................................................................... 122LEEF matcher (leef-matcher)....................................................................................................... 126CEF matcher (cef-matcher)..........................................................................................................127Multi-event modifier (event-match-multiple)......................................................................127Single-event modifier (event-match-single)........................................................................ 128

Extension document template.......................................................................................................... 129Creating a log source extensions document to get data into QRadar.............................................. 131

Common regular expressions ......................................................................................................132Building regular expression patterns .......................................................................................... 133Uploading extension documents to QRadar................................................................................ 135

Parsing issues and examples.............................................................................................................135Parsing a CSV log format ............................................................................................................. 138

Chapter 12. Manage log source extensions............................................................................................139Adding a log source extension...........................................................................................................139

Part 3. DSMs......................................................................................................141

Chapter 13. 3Com Switch 8800.............................................................................................................. 143Configuring your 3COM Switch 8800 ................................................................................................143

iv

Chapter 14. AhnLab Policy Center.......................................................................................................... 145

Chapter 15. Akamai Kona........................................................................................................................147Configure an Akamai Kona log source by using the HTTP Receiver protocol.................................. 147Configuring an Akamai Kona log source by using the Akamai Kona REST API protocol................. 148Configuring Akamai Kona to communicate with QRadar..................................................................150Creating an event map for Akamai Kona events............................................................................... 150Modifying the event map for Akamai Kona........................................................................................151Sample event messages.................................................................................................................... 152

Chapter 16. Amazon AWS CloudTrail......................................................................................................155Configuring an Amazon AWS CloudTrail log source by using the Amazon AWS S3 REST API

protocol......................................................................................................................................... 156Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with an SQS

queue....................................................................................................................................... 156Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with a directory

prefix........................................................................................................................................ 168Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol. 176

Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Servicesprotocol and Kinesis Data Streams.........................................................................................177

Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Servicesprotocol and CloudWatch Logs............................................................................................... 182

Chapter 17. Amazon AWS Security Hub................................................................................................. 189Creating an IAM role for the Lambda function.................................................................................. 193Creating a Lambda function...............................................................................................................194Creating a CloudWatch events rule................................................................................................... 195Configuring the Lambda function...................................................................................................... 196Creating a log group and log stream to retrieve Amazon AWS Security Hub events for QRadar.... 198Creating an Identity and Access (IAM) user in the AWS Management Console when using

Amazon Web Services...................................................................................................................198Amazon AWS Security Hub DSM specifications................................................................................ 199Amazon AWS Security Hub Sample event messages....................................................................... 199

Chapter 18. Amazon GuardDuty............................................................................................................. 201Configuring an Amazon GuardDuty log source by using the Amazon Web Services protocol.........201

Creating an IAM role for the Lambda function.............................................................................205Creating a Lambda function......................................................................................................... 207Creating a CloudWatch events rule..............................................................................................207Configuring the Lambda function................................................................................................. 208

Creating a log group and log stream to retrieve Amazon GuardDuty events for QRadar................ 209Creating an Identity and Access (IAM) user in the AWS Management Console when using

Amazon Web Services...................................................................................................................210Sample event message...................................................................................................................... 210

Chapter 19. Ambiron TrustWave ipAngel ...............................................................................................213

Chapter 20. Amazon VPC Flow Logs....................................................................................................... 215Amazon VPC Flow Logs specifications.............................................................................................. 218Publishing flow logs to an S3 bucket.................................................................................................219Create the SQS queue that is used to receive ObjectCreated notifications..................................... 219Configuring security credentials for your AWS user account............................................................220

Chapter 21. APC UPS...............................................................................................................................221Configuring your APC UPS to forward syslog events.........................................................................222

Chapter 22. Apache HTTP Server............................................................................................................223

v

Configuring Apache HTTP Server with syslog................................................................................... 223Configuring a Log Source in IBM QRadar...........................................................................................224Configuring Apache HTTP Server with syslog-ng..............................................................................225Configuring a log source ....................................................................................................................226

Chapter 23. Apple Mac OS X................................................................................................................... 227Configuring a Mac OS X log source ................................................................................................... 227Configuring syslog on your Apple Mac OS X......................................................................................227

Chapter 24. Application Security DbProtect..........................................................................................231Installing the DbProtect LEEF Relay Module.....................................................................................232Configuring the DbProtect LEEF Relay.............................................................................................. 232Configuring DbProtect alerts............................................................................................................. 233

Chapter 25. Arbor Networks................................................................................................................... 235Arbor Networks Peakflow SP.............................................................................................................235

Supported event types for Arbor Networks Peakflow SP ...........................................................236Configuring a remote syslog in Arbor Networks Peakflow SP.....................................................236Configuring global notifications settings for alerts in Arbor Networks Peakflow SP..................236Configuring alert notification rules in Arbor Networks Peakflow SP...........................................237Configuring an Arbor Networks Peakflow SP log source ............................................................ 237

Arbor Networks Pravail...................................................................................................................... 238Configuring your Arbor Networks Pravail system to send events to IBM QRadar......................239

Chapter 26. Arpeggio SIFT-IT................................................................................................................ 241Configuring a SIFT-IT agent...............................................................................................................241Configuring a Arpeggio SIFT-IT log source....................................................................................... 242Additional information....................................................................................................................... 243

Chapter 27. Array Networks SSL VPN.....................................................................................................245Configuring a log source.....................................................................................................................245

Chapter 28. Aruba Networks...................................................................................................................247Aruba ClearPass Policy Manager....................................................................................................... 247

Configuring Aruba ClearPass Policy Manager to communicate with QRadar............................. 248Aruba Introspect................................................................................................................................ 248

Configuring Aruba Introspect to communicate with QRadar...................................................... 250Aruba Mobility Controllers................................................................................................................. 251

Configuring your Aruba Mobility Controller................................................................................. 251Configuring a log source............................................................................................................... 251

Chapter 29. Avaya VPN Gateway........................................................................................................... 253Avaya VPN Gateway DSM integration process..................................................................................253Configuring your Avaya VPN Gateway system for communication with IBM QRadar..................... 254Configuring an Avaya VPN Gateway log source in IBM QRadar........................................................254

Chapter 30. BalaBit IT Security...............................................................................................................255BalaBit IT Security for Microsoft Windows Events............................................................................255

Configuring the Syslog-ng Agent event source............................................................................255Configuring a syslog destination.................................................................................................. 256Restarting the Syslog-ng Agent service....................................................................................... 257Configuring a log source .............................................................................................................. 257

BalaBit IT Security for Microsoft ISA or TMG Events........................................................................ 258Configure the BalaBit Syslog-ng Agent........................................................................................258Configuring the BalaBit Syslog-ng Agent file source................................................................... 258Configuring a BalaBit Syslog-ng Agent syslog destination..........................................................259Filtering the log file for comment lines........................................................................................ 259Configuring a BalaBit Syslog-ng PE Relay....................................................................................260

vi

Configuring a log source .............................................................................................................. 261

Chapter 31. Barracuda............................................................................................................................ 263Barracuda Spam & Virus Firewall...................................................................................................... 263

Configuring syslog event forwarding............................................................................................263Configuring a log source............................................................................................................... 263

Barracuda Web Application Firewall................................................................................................. 264Configuring Barracuda Web Application Firewall to send syslog events to QRadar.................. 265Configuring Barracuda Web Application Firewall to send syslog events to QRadar for

devices that do not support LEEF .......................................................................................... 265Barracuda Web Filter......................................................................................................................... 266

Configuring syslog event forwarding............................................................................................267Configuring a log source............................................................................................................... 267

Chapter 32. BeyondTrust PowerBroker..................................................................................................269Configuring BeyondTrust PowerBroker to communicate with QRadar............................................ 270BeyondTrust PowerBroker DSM specifications................................................................................ 271Sample event messages.................................................................................................................... 272

Chapter 33. BlueCat Networks Adonis................................................................................................... 273Supported event types.......................................................................................................................273Event type format...............................................................................................................................273Configuring BlueCat Adonis............................................................................................................... 274Configuring a log source in IBM QRadar............................................................................................274

Chapter 34. Blue Coat............................................................................................................................. 275Blue Coat SG.......................................................................................................................................275

Creating a custom event format...................................................................................................276Creating a log facility.................................................................................................................... 277Enabling access logging............................................................................................................... 277Configuring Blue Coat SG for FTP uploads...................................................................................278Configuring a Blue Coat SG Log Source....................................................................................... 278Configuring Blue Coat SG for syslog.............................................................................................281Creating extra custom format key-value pairs............................................................................ 282

Blue Coat Web Security Service.........................................................................................................282Configuring Blue Coat Web Security Service to communicate with QRadar.............................. 283

Chapter 35. Box....................................................................................................................................... 285Configuring Box to communicate with QRadar................................................................................. 286

Chapter 36. Bridgewater......................................................................................................................... 289Configuring Syslog for your Bridgewater Systems Device................................................................ 289Configuring a log source ....................................................................................................................289

Chapter 37. Brocade Fabric OS............................................................................................................... 291Configuring syslog for Brocade Fabric OS appliances.......................................................................291

Chapter 38. CA Technologies................................................................................................................. 293CA ACF2..............................................................................................................................................293

Create a log source for near real-time event feed.......................................................................294Creating a log source for Log File protocol ................................................................................. 294Integrate CA ACF2 with IBM QRadar by using audit scripts....................................................... 298Configuring CA ACF2 that uses audit scripts to integrate with IBM QRadar.............................. 298

CA SiteMinder.....................................................................................................................................301Configuring a log source............................................................................................................... 301Configuring Syslog-ng for CA SiteMinder..................................................................................... 303

CA Top Secret.....................................................................................................................................303Creating a log source for Log File protocol ................................................................................. 304

vii

Create a log source for near real-time event feed.......................................................................308Integrate CA Top Secret with IBM QRadar by using audit scripts.............................................. 308Configuring CA Top Secret that uses audit scripts to integrate with IBM QRadar..................... 309

Chapter 39. Carbon Black.......................................................................................................................313Carbon Black...................................................................................................................................... 313

Configuring Carbon Black to communicate with QRadar............................................................ 314Carbon Black Protection.................................................................................................................... 315

Configuring Carbon Black Protection to communicate with QRadar.......................................... 316Carbon Black Bit9 Parity.................................................................................................................... 317

Configuring a log source for Carbon Black Bit 9 Parity................................................................317Bit9 Security Platform........................................................................................................................318

Configuring Carbon Black Bit9 Security Platform to communicate with QRadar....................... 318

Chapter 40. Centrify................................................................................................................................ 321Centrify Identity Platform.................................................................................................................. 321

Centrify Identity Platform DSM specifications............................................................................ 322Configuring Centrify Identity Platform to communicate with QRadar........................................ 323Sample event message................................................................................................................ 324

Centrify Infrastructure Services........................................................................................................ 324Configuring WinCollect agent to collect event logs from Centrify Infrastructure Services........326Configuring Centrify Infrastructure Services on a UNIX or Linux device to communicate

with QRadar ............................................................................................................................ 327Sample event messages...............................................................................................................328

Chapter 41. Check Point..........................................................................................................................331Check Point.........................................................................................................................................331

Integration of Check Point by using OPSEC.................................................................................331Adding a Check Point Host........................................................................................................... 332Creating an OPSEC Application Object........................................................................................ 332Locating the log source SIC..........................................................................................................333Configuring an OPSEC/LEA log source in IBM QRadar................................................................ 333Edit your OPSEC communications configuration.........................................................................335Updating your Check Point OPSEC log source.............................................................................336Changing the default port for OPSEC LEA communication......................................................... 336Configuring OPSEC LEA for unencrypted communications.........................................................336Integration of Check Point Firewall events from external syslog forwarders............................ 340Configuring Check Point to forward LEEF events to QRadar....................................................... 342Sample event messages...............................................................................................................344

Check Point Multi-Domain Management (Provider-1)...................................................................... 345Integrating syslog for Check Point Multi-Domain Management (Provider-1)............................ 345Configuring a log source............................................................................................................... 346Configuring OPSEC for Check Point Multi-Domain Management (Provider-1) .......................... 347Configuring an OPSEC log source.................................................................................................347Configuring Check Point to forward LEEF events to QRadar....................................................... 348

Chapter 42. Cilasoft QJRN/400...............................................................................................................351Configuring Cilasoft QJRN/400..........................................................................................................351Configuring a Cilasoft QJRN/400 log source .................................................................................... 352

Chapter 43. Cisco ...................................................................................................................................355Cisco ACE Firewall..............................................................................................................................355

Configuring Cisco ACE Firewall.................................................................................................... 355Configuring a log source .............................................................................................................. 355

Cisco ACS............................................................................................................................................356Configuring Syslog for Cisco ACS v5.x..........................................................................................356Creating a Remote Log Target......................................................................................................357Configuring global logging categories.......................................................................................... 357

viii

Configuring a log source............................................................................................................... 357Configuring Syslog for Cisco ACS v4.x..........................................................................................358Configuring syslog forwarding for Cisco ACS v4.x....................................................................... 358Configuring a log source for Cisco ACS v4.x................................................................................ 359Configuring UDP multiline syslog for Cisco ACS appliances....................................................... 360

Cisco Aironet...................................................................................................................................... 361Configuring a log source .............................................................................................................. 362

Cisco ASA........................................................................................................................................... 362Integrate Cisco ASA Using Syslog................................................................................................ 362Configuring syslog forwarding......................................................................................................363Configuring a log source............................................................................................................... 364Integrate Cisco ASA for NetFlow by using NSEL......................................................................... 364Configuring NetFlow Using NSEL................................................................................................. 364Configuring a log source .............................................................................................................. 366

Cisco AMP...........................................................................................................................................367Cisco AMP DSM specifications..................................................................................................... 367Creating a Cisco AMP Client ID and API key for event queues................................................... 368Creating a Cisco AMP event stream............................................................................................. 369Configure a log source for a user to manage the Cisco AMP event stream................................ 370Sample event message................................................................................................................ 371

Cisco CallManager..............................................................................................................................372Configuring syslog forwarding .....................................................................................................372Configuring a log source .............................................................................................................. 373

Cisco CatOS for Catalyst Switches.....................................................................................................373Configuring syslog ........................................................................................................................373Configuring a log source .............................................................................................................. 374

Cisco Cloud Web Security.................................................................................................................. 375Configuring Cloud Web Security to communicate with QRadar ................................................. 377

Cisco CSA............................................................................................................................................378Configuring syslog for Cisco CSA..................................................................................................378Configuring a log source .............................................................................................................. 379

Cisco Firepower Management Center............................................................................................... 379Creating Cisco Firepower Management Center 5.x and 6.x certificates.....................................382Importing a Cisco Firepower Management Center certificate in QRadar................................... 383Configure your Cisco Firepower appliance to send intrusion or connection events to

QRadar by using Syslog...........................................................................................................384Cisco Firepower Management Center log source parameters....................................................385

Cisco FWSM........................................................................................................................................385Configuring Cisco FWSM to forward syslog events......................................................................385Configuring a log source .............................................................................................................. 386

Cisco Identity Services Engine.......................................................................................................... 386Configuring a remote logging target in Cisco ISE........................................................................ 390Configuring logging categories in Cisco ISE.................................................................................390

Cisco IDS/IPS..................................................................................................................................... 391Cisco IOS............................................................................................................................................ 393

Configuring Cisco IOS to forward events..................................................................................... 393Configuring a log source .............................................................................................................. 394

Cisco IronPort.....................................................................................................................................395Cisco IronPort DSM specifications............................................................................................... 395Configuring Cisco IronPort appliances to communicate with QRadar........................................396Configuring a Cisco IronPort and Cisco ESA log source by using the log file protocol............... 397Configuring a Cisco IronPort and Cisco WSA log source by using the Syslog protocol.............. 400Sample event messages...............................................................................................................400

Cisco Meraki....................................................................................................................................... 401Cisco Meraki DSM specifications..................................................................................................401Configure Cisco Meraki to communicate with IBM QRadar ....................................................... 402Sample event messages...............................................................................................................402

Cisco NAC........................................................................................................................................... 404

ix

Configuring Cisco NAC to forward events.................................................................................... 404Configuring a log source .............................................................................................................. 405

Cisco Nexus........................................................................................................................................ 405Configuring Cisco Nexus to forward events................................................................................. 405Configuring a log source .............................................................................................................. 406

Cisco Pix............................................................................................................................................. 407Configuring Cisco Pix to forward events...................................................................................... 407Configuring a log source .............................................................................................................. 407

Cisco Stealthwatch.............................................................................................................................408Configuring Cisco Stealthwatch to communicate with QRadar.................................................. 409

Cisco Umbrella................................................................................................................................... 410Configure Cisco Umbrella to communicate with QRadar............................................................ 413Cisco Umbrella DSM specifications..............................................................................................413Sample event messages...............................................................................................................413

Cisco VPN 3000 Concentrator .......................................................................................................... 414Configuring a log source .............................................................................................................. 414

Cisco Wireless LAN Controllers......................................................................................................... 415Configuring syslog for Cisco Wireless LAN Controller................................................................. 415Configuring a syslog log source in IBM QRadar...........................................................................416Configuring SNMPv2 for Cisco Wireless LAN Controller..............................................................417Configuring a trap receiver for Cisco Wireless LAN Controller....................................................418Configuring a log source for the Cisco Wireless LAN Controller that uses SNMPv2...................418

Cisco Wireless Services Module........................................................................................................ 420Configuring Cisco WiSM to forward events.................................................................................. 420Configuring a log source............................................................................................................... 421

Chapter 44. Citrix.....................................................................................................................................423Citrix NetScaler.................................................................................................................................. 423

Configuring a Citrix NetScaler log source ....................................................................................424Citrix Access Gateway........................................................................................................................424

Configuring a Citrix Access Gateway log source..........................................................................425

Chapter 45. Cloudera Navigator..............................................................................................................427Configuring Cloudera Navigator to communicate with QRadar........................................................428

Chapter 46. CloudPassage Halo .............................................................................................................429Configuring CloudPassage Halo for communication with QRadar....................................................429Configuring a CloudPassage Halo log source in QRadar...................................................................431

Chapter 47. CloudLock Cloud Security Fabric........................................................................................ 433Configuring CloudLock Cloud Security Fabric to communicate with QRadar...................................434

Chapter 48. Correlog Agent for IBM z/OS...............................................................................................435Configuring your CorreLog Agent system for communication with QRadar.....................................436

Chapter 49. CrowdStrike Falcon Host.....................................................................................................437Configuring CrowdStrike Falcon Host to communicate with QRadar...............................................438

Chapter 50. CRYPTOCard CRYPTO-Shield ............................................................................................441Configuring a log source ....................................................................................................................441Configuring syslog for CRYPTOCard CRYPTO-Shield ....................................................................... 441

Chapter 51. CyberArk............................................................................................................................. 443CyberArk Privileged Threat Analytics................................................................................................ 443

Configuring CyberArk Privileged Threat Analytics to communicate with QRadar...................... 444CyberArk Vault....................................................................................................................................444

Configuring syslog for CyberArk Vault..........................................................................................445Configuring a log source for CyberArk Vault................................................................................ 445

x

Chapter 52. CyberGuard Firewall/VPN Appliance..................................................................................447Configuring syslog events.................................................................................................................. 447Configuring a log source.....................................................................................................................447

Chapter 53. Damballa Failsafe................................................................................................................ 449Configuring syslog for Damballa Failsafe ......................................................................................... 449Configuring a log source ....................................................................................................................449

Chapter 54. DG Technology MEAS......................................................................................................... 451Configuring your DG Technology MEAS system for communication with QRadar...........................451

Chapter 55. Digital China Networks (DCN)............................................................................................. 453Configuring a log source ....................................................................................................................453Configuring a DCN DCS/DCRS Series Switch.....................................................................................454

Chapter 56. Enterprise-IT-Security.com SF-Sherlock........................................................................... 455Configuring Enterprise-IT-Security.com SF-Sherlock to communicate with QRadar..................... 456

Chapter 57. Epic SIEM.............................................................................................................................457Configuring Epic SIEM 2014 to communicate with QRadar............................................................. 458Configuring Epic SIEM 2015 to communicate with QRadar............................................................. 458Configuring Epic SIEM 2017 to communicate with QRadar............................................................. 460

Chapter 58. ESET Remote Administrator............................................................................................... 463Configuring ESET Remote Administrator to communicate with QRadar..........................................464

Chapter 59. Exabeam.............................................................................................................................. 465Configuring Exabeam to communicate with QRadar........................................................................ 465

Chapter 60. Extreme...............................................................................................................................467Extreme 800-Series Switch............................................................................................................... 467

Configuring your Extreme 800-Series Switch..............................................................................467Configuring a log source............................................................................................................... 467

Extreme Dragon................................................................................................................................. 468Creating a Policy for Syslog ......................................................................................................... 468Configuring a log source ............................................................................................................. 470Configure the EMS to forward syslog messages..........................................................................470Configuring syslog-ng Using Extreme Dragon EMS V7.4.0 and later.......................................... 470Configuring syslogd Using Extreme Dragon EMS V7.4.0 and earlier.......................................... 471

Extreme HiGuard Wireless IPS.......................................................................................................... 471Configuring Enterasys HiGuard ................................................................................................... 472Configuring a log source .............................................................................................................. 472

Extreme HiPath Wireless Controller..................................................................................................473Configuring your HiPath Wireless Controller............................................................................... 473Configuring a log source .............................................................................................................. 474

Extreme Matrix Router....................................................................................................................... 474Extreme Matrix K/N/S Series Switch................................................................................................. 475Extreme NetSight Automatic Security Manager ...............................................................................476Extreme NAC...................................................................................................................................... 477

Configuring a log source............................................................................................................... 477Extreme stackable and stand-alone switches.................................................................................. 477Extreme Networks ExtremeWare...................................................................................................... 479

Configuring a log source............................................................................................................... 479Extreme XSR Security Router............................................................................................................ 479

Chapter 61. F5 Networks....................................................................................................................... 481F5 Networks BIG-IP AFM.................................................................................................................. 481

xi

Configuring a logging pool............................................................................................................ 481Creating a high-speed log destination......................................................................................... 482Creating a formatted log destination........................................................................................... 482Creating a log publisher................................................................................................................482Creating a logging profile..............................................................................................................483Associating the profile to a virtual server.................................................................................... 483Configuring a log source .............................................................................................................. 484

F5 Networks BIG-IP APM.................................................................................................................. 484Configuring Remote Syslog for F5 BIG-IP APM V11.x to V14.x ................................................. 484Configuring a Remote Syslog for F5 BIG-IP APM 10.x ............................................................... 485Configuring a log source............................................................................................................... 485

Configuring F5 Networks BIG-IP ASM...............................................................................................486Configuring a log source............................................................................................................... 487

F5 Networks BIG-IP LTM...................................................................................................................487Configuring a log source............................................................................................................... 487Configuring syslog forwarding in BIG-IP LTM .............................................................................488Configuring Remote Syslog for F5 BIG-IP LTM V11.x to V14.x ..................................................488Configuring Remote Syslog for F5 BIG-IP LTM V10.x ................................................................ 489Configuring Remote Syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8................................................489

F5 Networks FirePass........................................................................................................................ 490Configuring syslog forwarding for F5 FirePass............................................................................ 490Configuring a log source .............................................................................................................. 490

Chapter 62. Fair Warning.........................................................................................................................493Configuring a log source.....................................................................................................................493

Chapter 63. Fasoo Enterprise DRM......................................................................................................... 495Configuring Fasoo Enterprise DRM to communicate with QRadar................................................... 499

Chapter 64. Fidelis XPS........................................................................................................................... 501Configuring Fidelis XPS...................................................................................................................... 501Configuring a log source ....................................................................................................................502

Chapter 65. FireEye................................................................................................................................. 503Configuring your FireEye system for communication with QRadar..................................................505Configuring your FireEye HX system for communication with QRadar............................................ 505

Chapter 66. Forcepoint............................................................................................................................507FORCEPOINT Stonesoft Management Center...................................................................................507

Configuring FORCEPOINT Stonesoft Management Center to communicate with QRadar.........508Configuring a syslog traffic rule for FORCEPOINT Stonesoft Management Center....................509

Forcepoint Sidewinder....................................................................................................................... 510Forcepoint Sidewinder DSM specifications................................................................................. 511Configure Forcepoint Sidewinder to communicate with QRadar................................................511Sample event messages...............................................................................................................511

Forcepoint TRITON............................................................................................................................ 512Configuring syslog for Forcepoint TRITON.................................................................................. 513Configuring a log source for Forcepoint TRITON.........................................................................513

Forcepoint V-Series Data Security Suite........................................................................................... 514Configuring syslog for Forcepoint V-Series Data Security Suite................................................. 514Configuring a log source for Forcepoint V-Series Data Security Suite........................................ 515

Forcepoint V-Series Content Gateway.............................................................................................. 515Configure syslog for Forcepoint V-Series Content Gateway....................................................... 515Configuring the Management Console for Forcepoint V-Series Content Gateway.....................516Enabling Event Logging for Forcepoint V-Series Content Gateway............................................ 516Configuring a log source for Forcepoint V-Series Content Gateway........................................... 517Log file protocol for Forcepoint V-Series Content Gateway........................................................ 517

xii

Chapter 67. ForeScout CounterACT.......................................................................................................519Configuring a log source.....................................................................................................................519Configuring the ForeScout CounterACT Plug-in................................................................................ 520Configuring ForeScout CounterACT Policies..................................................................................... 520

Chapter 68. Fortinet FortiGate Security Gateway.................................................................................. 523Configuring a syslog destination on your Fortinet FortiGate Security Gateway device................... 524Configuring a syslog destination on your Fortinet FortiAnalyzer device.......................................... 524

Chapter 69. Foundry FastIron ................................................................................................................ 527Configuring syslog for Foundry FastIron........................................................................................... 527Configuring a log source ....................................................................................................................527

Chapter 70. FreeRADIUS.........................................................................................................................529Configuring your FreeRADIUS device to communicate with QRadar............................................... 529

Chapter 71. Generic.................................................................................................................................531Generic Authorization Server.............................................................................................................531

Configuring event properties .......................................................................................................531Configuring a log source .............................................................................................................. 533

Generic Firewall................................................................................................................................. 533Configuring event properties .......................................................................................................534Configuring a log source .............................................................................................................. 535

Chapter 72. genua genugate................................................................................................................... 537Configuring genua genugate to send events to QRadar....................................................................538

Chapter 73. Google G Suite Activity Reports.......................................................................................... 539Google G Suite Activity Reports DSM specifications.........................................................................539Configuring Google G Suite Activity Reports to communicate with QRadar.................................... 540Assign a role to a user........................................................................................................................ 540Create a service account with viewer access....................................................................................542Grant API client access to a service account.................................................................................... 542Google G Suite Activity Reports log source parameters...................................................................543Sample event messages.................................................................................................................... 544Troubleshooting Google G Suite Activity Reports.............................................................................545

Invalid private keys...................................................................................................................... 545Authorization errors......................................................................................................................546Invalid email or username errors.................................................................................................546Invalid JSON formatting............................................................................................................... 547Network errors..............................................................................................................................547Google G Suite Activity Reports FAQ............................................................................................547

Chapter 74. Great Bay Beacon................................................................................................................549Configuring syslog for Great Bay Beacon.......................................................................................... 549Configuring a log source ....................................................................................................................549

Chapter 75. HBGary Active Defense...................................................................................................... 551Configuring HBGary Active Defense.................................................................................................. 551Configuring a log source.....................................................................................................................551

Chapter 76. H3C Technologies...............................................................................................................553H3C Comware Platform..................................................................................................................... 553

Configuring H3C Comware Platform to communicate with QRadar........................................... 554

Chapter 77. Honeycomb Lexicon File Integrity Monitor (FIM)..............................................................555Supported Honeycomb FIM event types logged by QRadar.............................................................555

xiii

Configuring the Lexicon mesh service...............................................................................................556Configuring a Honeycomb Lexicon FIM log source in QRadar..........................................................556

Chapter 78. Hewlett Packard (HP)..........................................................................................................559HP Network Automation.................................................................................................................... 559Configuring HP Network Automation Software to communicate with QRadar................................560HP ProCurve....................................................................................................................................... 561

Configuring a log source............................................................................................................... 561HP Tandem.........................................................................................................................................562Hewlett Packard UniX (HP-UX)..........................................................................................................563

Adding a log source...................................................................................................................... 563

Chapter 79. Huawei................................................................................................................................. 565Huawei AR Series Router................................................................................................................... 565

Configuring a log source .............................................................................................................. 565Configuring Your Huawei AR Series Router................................................................................. 566

Huawei S Series Switch......................................................................................................................567Configuring a log source .............................................................................................................. 567Configuring Your Huawei S Series Switch....................................................................................568

Chapter 80. HyTrust CloudControl..........................................................................................................569Configuring HyTrust CloudControl to communicate with QRadar.................................................... 570

Chapter 81. IBM .....................................................................................................................................571IBM AIX.............................................................................................................................................. 571

IBM AIX Server DSM overview..................................................................................................... 571IBM AIX Audit DSM overview....................................................................................................... 572

IBM i................................................................................................................................................... 577Configuring IBM i to integrate with IBM QRadar......................................................................... 578Manually extracting journal entries for IBM i...............................................................................579Pulling Data Using Log File Protocol............................................................................................ 580Configuring Townsend Security Alliance LogAgent to integrate with QRadar............................581

IBM BigFix.......................................................................................................................................... 581IBM BigFix Detect.............................................................................................................................. 583IBM Bluemix Platform........................................................................................................................583

Configuring IBM Bluemix Platform to communicate with QRadar..............................................584IBM CICS............................................................................................................................................ 585

Create a log source for near real-time event feed.......................................................................586Creating a log source for Log File protocol ................................................................................. 587

IBM DataPower.................................................................................................................................. 590Configuring IBM DataPower to communicate with QRadar........................................................ 591

IBM DB2............................................................................................................................................. 592Create a log source for near real-time event feed.......................................................................593Creating a log source for Log File protocol ................................................................................. 593Integrating IBM DB2 Audit Events............................................................................................... 597Extracting audit data for DB2 v8.x to v9.4................................................................................... 598Extracting audit data for DB2 v9.5...............................................................................................598

IBM Federated Directory Server ....................................................................................................... 599Configuring IBM Federated Directory Server to monitor security events...................................600

IBM Fiberlink MaaS360..................................................................................................................... 600Configuring an IBM Fiberlink MaaS360 log source in QRadar.................................................... 601

IBM Guardium.................................................................................................................................... 603Creating a syslog destination for events......................................................................................603Configuring policies to generate syslog events........................................................................... 604Installing an IBM Guardium Policy ..............................................................................................605Configuring a log source .............................................................................................................. 605Creating an event map for IBM Guardium events....................................................................... 606Modifying the event map.............................................................................................................. 606

xiv

IBM IMS..............................................................................................................................................607Configuring IBM IMS ....................................................................................................................607Configuring a log source............................................................................................................... 610

IBM Informix Audit.............................................................................................................................612IBM Lotus Domino..............................................................................................................................613

Setting Up SNMP Services............................................................................................................613Setting up SNMP in AIX................................................................................................................ 613Starting the Domino Server Add-in Tasks....................................................................................614Configuring SNMP Services.......................................................................................................... 614Configuring your IBM Lotus Domino device to communicate with QRadar................................615

IBM Privileged Session Recorder...................................................................................................... 615Configuring IBM Privileged Session Recorder to communicate with QRadar............................ 617Configuring a log source for IBM Privileged Session Recorder .................................................. 617

IBM Proventia.....................................................................................................................................618IBM Proventia Management SiteProtector.................................................................................. 618IBM ISS Proventia ........................................................................................................................621

IBM QRadar Packet Capture..............................................................................................................622Configuring IBM QRadar Packet Capture to communicate with QRadar....................................623Configuring IBM QRadar Network Packet Capture to communicate with QRadar.....................624

IBM RACF........................................................................................................................................... 624Creating a log source for Log File protocol ................................................................................. 625Create a log source for near real-time event feed.......................................................................629Integrate IBM RACF with IBM QRadar by using audit scripts.....................................................629Configuring IBM RACF that uses audit scripts to integrate with IBM QRadar............................630

IBM SAN Volume Controller...............................................................................................................632Configuring IBM SAN Volume Controller to communicate with QRadar.................................... 633

IBM Security Access Manager for Enterprise Single Sign-On...........................................................634Configuring a log server type........................................................................................................634Configuring syslog forwarding......................................................................................................634Configuring a log source in IBM QRadar...................................................................................... 635

IBM Security Access Manager for Mobile..........................................................................................636Configuring IBM Security Access Manager for Mobile to communicate with QRadar................638Configuring IBM IDaaS Platform to communicate with QRadar................................................. 639Configuring an IBM IDaaS console to communicate with QRadar..............................................639

IBM Security Directory Server........................................................................................................... 639IBM Security Directory Server integration process..................................................................... 640

IBM Security Identity Governance.................................................................................................... 642Configuring QRadar to communicate with your IBM Security Identity Governance database.. 645

IBM Security Identity Manager..........................................................................................................646IBM Security Network IPS (GX)......................................................................................................... 649

Configuring your IBM Security Network IPS (GX) appliance for communication with QRadar..650Configuring an IBM Security Network IPS (GX) log source in QRadar........................................ 651

IBM QRadar Network Security XGS................................................................................................... 651Configuring IBM QRadar Network Security XGS Alerts............................................................... 652Configuring a Log Source in IBM QRadar..................................................................................... 653

IBM Security Privileged Identity Manager.........................................................................................653Configuring IBM Security Privileged Identity Manager to communicate with QRadar...............657Sample event message................................................................................................................ 658

IBM Security Trusteer Apex Advanced Malware Protection.............................................................658Configuring IBM Security Trusteer Apex Advanced Malware Protection to send syslog

events to QRadar..................................................................................................................... 662Configuring IBM Security Trusteer Apex Advanced Malware Protection to send TLS Syslog

events to QRadar..................................................................................................................... 663Configuring a Flat File Feed service............................................................................................. 665

IBM Security Trusteer Apex Local Event Aggregator........................................................................ 666Configuring syslog for Trusteer Apex Local Event Aggregator.................................................... 666

IBM Sense.......................................................................................................................................... 666Configuring IBM Sense to communicate with QRadar................................................................ 668

xv

IBM SmartCloud Orchestrator........................................................................................................... 668Installing IBM SmartCloud Orchestrator..................................................................................... 669Configuring an IBM SmartCloud Orchestrator log source in QRadar..........................................669

IBM Tivoli Access Manager for e-business....................................................................................... 669Configure Tivoli Access Manager for e-business.........................................................................670Configuring a log source .............................................................................................................. 671

IBM Tivoli Endpoint Manager.............................................................................................................671IBM WebSphere Application Server.................................................................................................. 671

Configuring IBM WebSphere ....................................................................................................... 671Customizing the Logging Option.................................................................................................. 672Creating a log source ................................................................................................................... 673

IBM WebSphere DataPower.............................................................................................................. 676IBM z/OS.............................................................................................................................................676

Create a log source for near real-time event feed....................................................................