IBM QRadar

DSM Configuration GuideMay 2020

IBM

Note

Before using this information and the product that it supports, read the information in “Notices” onpage 1225.

Product information

This document applies to IBM® QRadar® Security Intelligence Platform V7.2.1 and subsequent releases unlesssuperseded by an updated version of this document.© Copyright International Business Machines Corporation 2005, 2020.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.

Contents

About this DSM Configuration Guide.................................................................. xxix

Part 1. QRadar DSM installation and log source management..................................1

Chapter 1. Event collection from third-party devices.................................................................................3Adding a DSM..........................................................................................................................................4

Chapter 2. Introduction to log source management...................................................................................5Adding a log source................................................................................................................................ 5Adding a log source by using the Log Sources icon...............................................................................7Adding bulk log sources......................................................................................................................... 8Adding bulk log sources by using the Log Sources icon........................................................................9Editing bulk log sources....................................................................................................................... 10Editing bulk log sources by using the Log Sources icon......................................................................10Adding a log source parsing order....................................................................................................... 11Testing log sources.............................................................................................................................. 11

Protocols available for testing........................................................................................................12

Chapter 3. Log source extensions............................................................................................................. 13Building a Universal DSM..................................................................................................................... 13Building a Universal DSM by using the Log Sources icon....................................................................14Exporting the logs ................................................................................................................................14Examples of log source extensions on QRadar forum ........................................................................16Patterns in log source extension documents...................................................................................... 16Match groups ....................................................................................................................................... 17

Matcher (matcher).......................................................................................................................... 18JSON matcher (json-matcher)....................................................................................................... 22LEEF matcher (leef-matcher)......................................................................................................... 26CEF matcher (cef-matcher)............................................................................................................ 27Multi-event modifier (event-match-multiple)........................................................................27Single-event modifier (event-match-single).......................................................................... 28

Extension document template.............................................................................................................29Creating a log source extensions document to get data into QRadar................................................ 31

Common regular expressions ........................................................................................................32Building regular expression patterns ............................................................................................ 33Uploading extension documents to QRadar.................................................................................. 35

Parsing issues and examples...............................................................................................................35Parsing a CSV log format ................................................................................................................38

Chapter 4. Manage log source extensions................................................................................................ 39Adding a log source extension............................................................................................................. 39

Chapter 5. Threat use cases by log source type....................................................................................... 41

Chapter 6. Troubleshooting DSMs.............................................................................................................53

Part 2. Protocols..................................................................................................55

Chapter 7. Undocumented Protocols........................................................................................................57Configuring an undocumented protocol.............................................................................................. 57

iii

Chapter 8. Protocol configuration options................................................................................................ 59Akamai Kona REST API protocol configuration options......................................................................59Amazon AWS S3 REST API protocol configuration options................................................................ 60Amazon Web Services protocol configuration options....................................................................... 65Apache Kafka protocol configuration options..................................................................................... 73

Configuring Apache Kafka to enable Client Authentication.......................................................... 76Configuring Apache Kafka to enable SASL Authentication............................................................79Troubleshooting Apache Kafka ..................................................................................................... 81

Blue Coat Web Security Service REST API protocol configuration options........................................81Centrify Redrock REST API protocol configuration options................................................................82Cisco Firepower eStreamer protocol configuration options............................................................... 83Cisco NSEL protocol configuration options......................................................................................... 84EMC VMware protocol configuration options...................................................................................... 85Forwarded protocol configuration options.......................................................................................... 86Google Cloud Pub/Sub protocol configuration options.......................................................................86

Configuring Google Cloud Pub/Sub to integrate with QRadar.......................................................88Creating a Pub/Sub Topic and Subscription in the Google Cloud Console................................... 88Creating a service account and a service account key in Google Cloud Console to access

the Pub/Sub Subscription..........................................................................................................90Populating a Pub/Sub topic with data............................................................................................ 93Adding a Google Cloud Pub/Sub log source in QRadar................................................................. 94

Google G Suite Activity Reports REST API protocol options...............................................................95HTTP Receiver protocol configuration options....................................................................................96IBM BigFix SOAP protocol configuration options................................................................................96IBM Cloud Identity Event Service protocol configuration options..................................................... 97JDBC protocol configuration options...................................................................................................99JDBC - SiteProtector protocol configuration options........................................................................103Juniper Networks NSM protocol configuration options....................................................................105Juniper Security Binary Log Collector protocol configuration options.............................................105Log File protocol configuration options.............................................................................................106Microsoft Azure Event Hubs protocol configuration options............................................................ 107

Configuring Microsoft Azure Event Hubs to communicate with QRadar.................................... 110Microsoft Azure Event Hubs protocol FAQ...................................................................................112

Microsoft DHCP protocol configuration options................................................................................114Microsoft Exchange protocol configuration options......................................................................... 116Microsoft Graph Security API protocol configuration options..........................................................119Microsoft IIS protocol configuration options.................................................................................... 120Microsoft Security Event Log protocol configuration options...........................................................123

Microsoft Security Event Log over MSRPC Protocol.................................................................... 123MQ protocol configuration options.................................................................................................... 127Okta REST API protocol configuration options................................................................................. 128OPSEC/LEA protocol configuration options...................................................................................... 128Oracle Database Listener protocol configuration options................................................................ 130PCAP Syslog Combination protocol configuration options............................................................... 132SDEE protocol configuration options.................................................................................................133SMB Tail protocol configuration options........................................................................................... 134SNMPv2 protocol configuration options............................................................................................136SNMPv3 protocol configuration options............................................................................................136Seculert Protection REST API protocol configuration options......................................................... 137Sophos Enterprise Console JDBC protocol configuration options................................................... 138Sourcefire Defense Center eStreamer protocol options...................................................................140Syslog Redirect protocol overview.................................................................................................... 140TCP multiline syslog protocol configuration options........................................................................ 142TLS syslog protocol configuration options........................................................................................ 147

Multiple log sources over TLS Syslog...........................................................................................151UDP multiline syslog protocol configuration options........................................................................151VMware vCloud Director protocol configuration options..................................................................154

iv

Part 3. DSMs......................................................................................................155

Chapter 9. 3Com Switch 8800................................................................................................................ 157Configuring your 3COM Switch 8800 ................................................................................................157

Chapter 10. AhnLab Policy Center.......................................................................................................... 159

Chapter 11. Akamai Kona........................................................................................................................161Configure an Akamai Kona log source by using the HTTP Receiver protocol.................................. 161Configure an Akamai Kona log source by using the Akamai Kona REST API protocol.................... 162Configuring Akamai Kona to communicate with QRadar..................................................................164Creating an event map for Akamai Kona events............................................................................... 164Modifying the event map for Akamai Kona........................................................................................165Sample event messages.................................................................................................................... 166

Chapter 12. Amazon AWS CloudTrail......................................................................................................169Configuring an Amazon AWS CloudTrail log source by using the Amazon AWS S3 REST API

protocol......................................................................................................................................... 170Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with an SQS

queue....................................................................................................................................... 170Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with a directory

prefix........................................................................................................................................ 182Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol. 190

Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Servicesprotocol and Kinesis Data Streams.........................................................................................191

Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Servicesprotocol and CloudWatch Logs............................................................................................... 196

Chapter 13. Amazon AWS Security Hub................................................................................................. 203Creating an IAM role for the Lambda function.................................................................................. 207Creating a Lambda function...............................................................................................................208Creating a CloudWatch events rule................................................................................................... 209Configuring the Lambda function...................................................................................................... 210Creating a log group and log stream to retrieve Amazon AWS Security Hub events for QRadar.... 212Creating an Identity and Access (IAM) user in the AWS Management Console when using

Amazon Web Services...................................................................................................................212Amazon AWS Security Hub DSM specifications................................................................................ 213Amazon AWS Security Hub Sample event messages....................................................................... 213

Chapter 14. Amazon GuardDuty............................................................................................................. 215Configuring an Amazon GuardDuty log source by using the Amazon Web Services protocol.........215

Creating an IAM role for the Lambda function.............................................................................219Creating a Lambda function......................................................................................................... 221Creating a CloudWatch events rule..............................................................................................221Configuring the Lambda function................................................................................................. 222

Creating a log group and log stream to retrieve Amazon GuardDuty events for QRadar................ 223Creating an Identity and Access (IAM) user in the AWS Management Console when using

Amazon Web Services...................................................................................................................224Sample event message...................................................................................................................... 224

Chapter 15. Ambiron TrustWave ipAngel ...............................................................................................227

Chapter 16. Amazon VPC Flow Logs....................................................................................................... 229Amazon VPC Flow Logs specifications.............................................................................................. 233Publishing flow logs to an S3 bucket.................................................................................................233Create the SQS queue that is used to receive ObjectCreated notifications..................................... 234

v

Configuring security credentials for your AWS user account............................................................234

Chapter 17. APC UPS...............................................................................................................................235Configuring your APC UPS to forward syslog events.........................................................................236

Chapter 18. Apache HTTP Server............................................................................................................237Configuring Apache HTTP Server with syslog................................................................................... 237Syslog log source parameters for Apache HTTP Server................................................................... 238Configuring Apache HTTP Server with syslog-ng..............................................................................238Syslog log source parameters for Apache HTTP Server................................................................... 239

Chapter 19. Apple Mac OS X................................................................................................................... 241Apple Mac OS X DSM specifications.................................................................................................. 241Syslog log source parameters for Apple MAC OS X.......................................................................... 241Configuring syslog on your Apple Mac OS X......................................................................................242

Chapter 20. Application Security DbProtect..........................................................................................245Installing the DbProtect LEEF Relay Module.....................................................................................246Configuring the DbProtect LEEF Relay.............................................................................................. 246Configuring DbProtect alerts............................................................................................................. 247

Chapter 21. Arbor Networks................................................................................................................... 249Arbor Networks Peakflow SP.............................................................................................................249

Supported event types for Arbor Networks Peakflow SP ...........................................................250Configuring a remote syslog in Arbor Networks Peakflow SP.....................................................250Configuring global notifications settings for alerts in Arbor Networks Peakflow SP..................250Configuring alert notification rules in Arbor Networks Peakflow SP...........................................251Syslog log source parameters for Arbor Networks Peakflow SP................................................ 251

Arbor Networks Pravail...................................................................................................................... 252Configuring your Arbor Networks Pravail system to send events to IBM QRadar......................253

Chapter 22. Arpeggio SIFT-IT................................................................................................................ 255Configuring a SIFT-IT agent...............................................................................................................255Syslog log source parameters for Arpeggio SIFT-IT.........................................................................256Additional information....................................................................................................................... 256

Chapter 23. Array Networks SSL VPN.....................................................................................................259Syslog log source parameters for Array Networks SSL VPN.............................................................259

Chapter 24. Aruba Networks...................................................................................................................261Aruba ClearPass Policy Manager....................................................................................................... 261

Configuring Aruba ClearPass Policy Manager to communicate with QRadar............................. 262Aruba Introspect................................................................................................................................ 262

Configuring Aruba Introspect to communicate with QRadar...................................................... 264Aruba Mobility Controllers................................................................................................................. 265

Configuring your Aruba Mobility Controller................................................................................. 265Syslog log source parameters for Aruba Mobility Controllers.....................................................265

Chapter 25. Avaya VPN Gateway........................................................................................................... 267Avaya VPN Gateway DSM integration process..................................................................................267Configuring your Avaya VPN Gateway system for communication with IBM QRadar..................... 268Syslog log source parameters for Avaya VPN Gateway.................................................................... 268

Chapter 26. BalaBit IT Security...............................................................................................................269BalaBit IT Security for Microsoft Windows Events............................................................................269

Configuring the Syslog-ng Agent event source............................................................................269Configuring a syslog destination.................................................................................................. 270Restarting the Syslog-ng Agent service....................................................................................... 271

vi

Syslog log source parameters for BalaBit IT Security for Microsoft Windows Events............... 271BalaBit IT Security for Microsoft ISA or TMG Events........................................................................ 271

Configure the BalaBit Syslog-ng Agent........................................................................................272Configuring the BalaBit Syslog-ng Agent file source................................................................... 272Configuring a BalaBit Syslog-ng Agent syslog destination..........................................................273Filtering the log file for comment lines........................................................................................ 273Configuring a BalaBit Syslog-ng PE Relay....................................................................................274Syslog log source parameters for BalaBit IT Security for Microsoft ISA or TMG Events............275

Chapter 27. Barracuda............................................................................................................................ 277Barracuda Spam & Virus Firewall...................................................................................................... 277

Configuring syslog event forwarding............................................................................................277Syslog log source parameters for Barracuda Spam Firewall...................................................... 277

Barracuda Web Application Firewall................................................................................................. 278Configuring Barracuda Web Application Firewall to send syslog events to QRadar.................. 279Configuring Barracuda Web Application Firewall to send syslog events to QRadar for

devices that do not support LEEF .......................................................................................... 279Barracuda Web Filter......................................................................................................................... 280

Configuring syslog event forwarding............................................................................................281Syslog log source parameters for Barracuda Web Filter.............................................................281

Chapter 28. BeyondTrust PowerBroker..................................................................................................283Syslog log source parameters for BeyondTrust PowerBroker..........................................................283TLS Syslog log source parameters for BeyondTrust PowerBroker...................................................284Configuring BeyondTrust PowerBroker to communicate with QRadar............................................ 284BeyondTrust PowerBroker DSM specifications................................................................................ 286Sample event messages.................................................................................................................... 286

Chapter 29. BlueCat Networks Adonis................................................................................................... 289Supported event types.......................................................................................................................289Event type format...............................................................................................................................289Configuring BlueCat Adonis............................................................................................................... 290Syslog log source parameters for BlueCat Networks Adonis........................................................... 290

Chapter 30. Blue Coat............................................................................................................................. 291Blue Coat SG.......................................................................................................................................291

Creating a custom event format...................................................................................................292Creating a log facility.................................................................................................................... 293Enabling access logging............................................................................................................... 293Configuring Blue Coat SG for FTP uploads...................................................................................294Syslog log source parameters for Blue Coat SG.......................................................................... 294Log File log source parameters for Blue Coat SG........................................................................ 295Configuring Blue Coat SG for syslog.............................................................................................298Creating extra custom format key-value pairs............................................................................ 298

Blue Coat Web Security Service.........................................................................................................298Configuring Blue Coat Web Security Service to communicate with QRadar.............................. 300Sample event message................................................................................................................ 300

Chapter 31. Box....................................................................................................................................... 303Configuring Box to communicate with QRadar................................................................................. 304

Chapter 32. Bridgewater......................................................................................................................... 307Configuring Syslog for your Bridgewater Systems Device................................................................ 307Syslog log source parameters for Bridgewater Systems.................................................................. 307

Chapter 33. Brocade Fabric OS............................................................................................................... 309Configuring syslog for Brocade Fabric OS appliances.......................................................................309

vii

Chapter 34. CA Technologies................................................................................................................. 311CA ACF2..............................................................................................................................................311

Create a log source for near real-time event feed.......................................................................312Log File log source parameter......................................................................................................312Integrate CA ACF2 with IBM QRadar by using audit scripts....................................................... 316Configuring CA ACF2 that uses audit scripts to integrate with IBM QRadar.............................. 317

CA SiteMinder.....................................................................................................................................320Syslog log source parameters for CA SiteMinder........................................................................ 320Configuring Syslog-ng for CA SiteMinder..................................................................................... 321

CA Top Secret.....................................................................................................................................322Log File log source parameter......................................................................................................323Create a log source for near real-time event feed.......................................................................327Integrate CA Top Secret with IBM QRadar by using audit scripts.............................................. 327Configuring CA Top Secret that uses audit scripts to integrate with IBM QRadar..................... 327

Chapter 35. Carbon Black.......................................................................................................................331Carbon Black...................................................................................................................................... 331

Configuring Carbon Black to communicate with QRadar............................................................ 332Carbon Black Protection.................................................................................................................... 333

Configuring Carbon Black Protection to communicate with QRadar.......................................... 334Carbon Black Bit9 Parity.................................................................................................................... 335

Syslog log source parameters for Carbon Black Bit9 Parity........................................................335Bit9 Security Platform........................................................................................................................335

Configuring Carbon Black Bit9 Security Platform to communicate with QRadar....................... 336

Chapter 36. Centrify................................................................................................................................ 337Centrify Identity Platform.................................................................................................................. 337

Centrify Identity Platform DSM specifications............................................................................ 338Configuring Centrify Identity Platform to communicate with QRadar........................................ 339Sample event message................................................................................................................ 340

Centrify Infrastructure Services........................................................................................................ 340Configuring WinCollect agent to collect event logs from Centrify Infrastructure Services........342Configuring Centrify Infrastructure Services on a UNIX or Linux device to communicate

with QRadar ............................................................................................................................ 343Sample event messages...............................................................................................................344

Chapter 37. Check Point..........................................................................................................................347Check Point.........................................................................................................................................347

Integration of Check Point by using OPSEC.................................................................................347Adding a Check Point Host........................................................................................................... 348Creating an OPSEC Application Object........................................................................................ 348Locating the log source SIC..........................................................................................................349OPSEC/LEA log source parameters for Check Point....................................................................349Edit your OPSEC communications configuration.........................................................................350Changing the default port for OPSEC LEA communication......................................................... 350Configuring OPSEC LEA for unencrypted communications.........................................................351Integration of Check Point Firewall events from external syslog forwarders............................ 352Configuring Check Point to forward LEEF events to QRadar....................................................... 353Sample event messages...............................................................................................................355

Check Point Multi-Domain Management (Provider-1)...................................................................... 356Integrating syslog for Check Point Multi-Domain Management (Provider-1)............................ 356Syslog log source parameters for Check Point Multi-Domain Management (Provider-1)..........357Configuring OPSEC for Check Point Multi-Domain Management (Provider-1) .......................... 357OPSEC/LEA log source parameters for Check Point Multi-Domain Management (Provider-1). 358Configuring Check Point to forward LEEF events to QRadar....................................................... 358

Chapter 38. Cilasoft QJRN/400...............................................................................................................361

viii

Configuring Cilasoft QJRN/400..........................................................................................................361Syslog log source parameters for Cilasoft QJRN/400...................................................................... 362

Chapter 39. Cisco ...................................................................................................................................365Cisco ACE Firewall..............................................................................................................................365

Configuring Cisco ACE Firewall.................................................................................................... 365Syslog log source parameters for Cisco ACE Firewall................................................................. 365

Cisco ACS............................................................................................................................................366Configuring Syslog for Cisco ACS v5.x..........................................................................................366Creating a Remote Log Target......................................................................................................366Configuring global logging categories.......................................................................................... 367Syslog log source parameters for Cisco ACS v5.x....................................................................... 367Configuring Syslog for Cisco ACS v4.x..........................................................................................368Configuring syslog forwarding for Cisco ACS v4.x....................................................................... 368Syslog log source parameters for Cisco ACS v4.x....................................................................... 369UDP Multiline Syslog log source parameters for Cisco ACS........................................................369

Cisco Aironet...................................................................................................................................... 370Syslog log source parameters for Cisco Aironet..........................................................................371

Cisco ASA........................................................................................................................................... 371Integrate Cisco ASA Using Syslog................................................................................................ 371Configuring syslog forwarding......................................................................................................372Syslog log source parameters for Cisco ASA............................................................................... 372Integrate Cisco ASA for NetFlow by using NSEL......................................................................... 373Configuring NetFlow Using NSEL................................................................................................. 373Cisco NSEL log source parameters for Cisco ASA....................................................................... 374

Cisco AMP...........................................................................................................................................375Cisco AMP DSM specifications..................................................................................................... 375Creating a Cisco AMP Client ID and API key for event queues................................................... 376Creating a Cisco AMP event stream............................................................................................. 377Configure a log source for a user to manage the Cisco AMP event stream................................ 378Sample event message................................................................................................................ 379

Cisco CallManager..............................................................................................................................380Configuring syslog forwarding .....................................................................................................380Syslog log source parameters for Cisco CallManager................................................................. 381

Cisco CatOS for Catalyst Switches.....................................................................................................381Configuring syslog ........................................................................................................................381Syslog log source parameters for Cisco CatOS for Catalyst Switches........................................ 382

Cisco Cloud Web Security.................................................................................................................. 382Configuring Cloud Web Security to communicate with QRadar ................................................. 384

Cisco CSA............................................................................................................................................385Configuring syslog for Cisco CSA..................................................................................................385Syslog log source parameters for Cisco CSA............................................................................... 386

Cisco Firepower Management Center............................................................................................... 386Creating Cisco Firepower Management Center 5.x and 6.x certificates.....................................388Importing a Cisco Firepower Management Center certificate in QRadar................................... 390Configure your Cisco Firepower appliance to send intrusion or connection events to

QRadar by using Syslog........................................................................................................... 391Cisco Firepower Management Center log source parameters....................................................392

Cisco FWSM........................................................................................................................................392Configuring Cisco FWSM to forward syslog events......................................................................392Syslog log source parameters for Cisco FWSM........................................................................... 393

Cisco Identity Services Engine.......................................................................................................... 393Configuring a remote logging target in Cisco ISE........................................................................ 396Configuring logging categories in Cisco ISE.................................................................................396

Cisco IDS/IPS..................................................................................................................................... 397SDEE log source parameters for Cisco IDS/IPS.......................................................................... 397

Cisco IOS............................................................................................................................................ 399Configuring Cisco IOS to forward events..................................................................................... 399

ix

Syslog log source parameters for Cisco IOS................................................................................400Cisco IronPort.....................................................................................................................................401

Cisco IronPort DSM specifications............................................................................................... 401Configuring Cisco IronPort appliances to communicate with QRadar........................................402Configuring a Cisco IronPort and Cisco ESA log source by using the log file protocol............... 402Configuring a Cisco IronPort and Cisco WSA log source by using the Syslog protocol.............. 405Sample event messages...............................................................................................................406

Cisco Meraki....................................................................................................................................... 406Cisco Meraki DSM specifications..................................................................................................407Configure Cisco Meraki to communicate with IBM QRadar ....................................................... 408Sample event messages...............................................................................................................408

Cisco NAC........................................................................................................................................... 410Configuring Cisco NAC to forward events.................................................................................... 410Syslog log source parameters for Cisco NAC...............................................................................410

Cisco Nexus........................................................................................................................................ 411Configuring Cisco Nexus to forward events................................................................................. 411Syslog log source parameters for Cisco Nexus............................................................................411Sample event messages...............................................................................................................412

Cisco Pix............................................................................................................................................. 412Configuring Cisco Pix to forward events...................................................................................... 412Syslog log source parameters for Cisco Pix.................................................................................413

Cisco Stealthwatch.............................................................................................................................413Configuring Cisco Stealthwatch to communicate with QRadar.................................................. 415

Cisco Umbrella................................................................................................................................... 416Configure Cisco Umbrella to communicate with QRadar............................................................ 418Cisco Umbrella DSM specifications..............................................................................................419Sample event messages...............................................................................................................419

Cisco VPN 3000 Concentrator .......................................................................................................... 420Syslog log source parameters for Cisco VPN 3000 Concentrator...............................................420

Cisco Wireless LAN Controllers......................................................................................................... 421Configuring syslog for Cisco Wireless LAN Controller................................................................. 421Syslog log source parameters for Cisco Wireless LAN Controllers.............................................422Configuring SNMPv2 for Cisco Wireless LAN Controller..............................................................423Configuring a trap receiver for Cisco Wireless LAN Controller....................................................424SNMPv2 log source parameters for Cisco Wireless LAN Controllers..........................................424

Cisco Wireless Services Module........................................................................................................ 425Configuring Cisco WiSM to forward events.................................................................................. 426Syslog log source parameters for Cisco WiSM.............................................................................427

Chapter 40. Citrix.....................................................................................................................................429Citrix Access Gateway........................................................................................................................429

Syslog log source parameters for Citrix Access Gateway........................................................... 429Citrix NetScaler.................................................................................................................................. 430

Syslog log source parameters for Citrix NetScaler...................................................................... 431

Chapter 41. Cloudera Navigator..............................................................................................................433Configuring Cloudera Navigator to communicate with QRadar........................................................434

Chapter 42. CloudPassage Halo .............................................................................................................435Configuring CloudPassage Halo for communication with QRadar....................................................435Syslog log source parameters for CloudPassage Halo..................................................................... 437Log File log source parameters for CloudPassage Halo....................................................................437

Chapter 43. CloudLock Cloud Security Fabric........................................................................................ 439Configuring CloudLock Cloud Security Fabric to communicate with QRadar...................................440

Chapter 44. Correlog Agent for IBM z/OS...............................................................................................441Configuring your CorreLog Agent system for communication with QRadar.....................................442

x

Chapter 45. CrowdStrike Falcon Host.....................................................................................................443Configuring CrowdStrike Falcon Host to communicate with QRadar...............................................444

Chapter 46. CRYPTOCard CRYPTO-Shield ............................................................................................447Configuring syslog for CRYPTOCard CRYPTO-Shield ....................................................................... 447Syslog log source parameters for CRYPTOCard CRYPTO-Shield..................................................... 447

Chapter 47. CyberArk............................................................................................................................. 449CyberArk Privileged Threat Analytics................................................................................................ 449

Configuring CyberArk Privileged Threat Analytics to communicate with QRadar...................... 450CyberArk Vault....................................................................................................................................450

Configuring syslog for CyberArk Vault..........................................................................................451Syslog log source parameters for CyberArk Vault....................................................................... 451

Chapter 48. CyberGuard Firewall/VPN Appliance..................................................................................453Configuring syslog events.................................................................................................................. 453Syslog log source parameters for CyberGuard................................................................................. 453

Chapter 49. Damballa Failsafe................................................................................................................ 455Configuring syslog for Damballa Failsafe ......................................................................................... 455Syslog log source parameters for Damballa Failsafe........................................................................455

Chapter 50. DG Technology MEAS......................................................................................................... 457Configuring your DG Technology MEAS system for communication with QRadar...........................457

Chapter 51. Digital China Networks (DCN)............................................................................................. 459Configuring a DCN DCS/DCRS Series Switch.....................................................................................459Syslog log source parameters for DCN DCS/DCRS Series switches.................................................460

Chapter 52. Enterprise-IT-Security.com SF-Sherlock........................................................................... 461Configuring Enterprise-IT-Security.com SF-Sherlock to communicate with QRadar..................... 462

Chapter 53. Epic SIEM.............................................................................................................................463Configuring Epic SIEM 2014 to communicate with QRadar............................................................. 464Configuring Epic SIEM 2015 to communicate with QRadar............................................................. 464Configuring Epic SIEM 2017 to communicate with QRadar............................................................. 466

Chapter 54. ESET Remote Administrator............................................................................................... 469Configuring ESET Remote Administrator to communicate with QRadar..........................................470

Chapter 55. Exabeam.............................................................................................................................. 471Configuring Exabeam to communicate with QRadar........................................................................ 471

Chapter 56. Extreme...............................................................................................................................473Extreme 800-Series Switch............................................................................................................... 473

Configuring your Extreme 800-Series Switch..............................................................................473Syslog log source parameters for Extreme 800-Series Switches...............................................473

Extreme Dragon................................................................................................................................. 474Creating a Policy for Syslog ......................................................................................................... 474Syslog log source parameters for Extreme Dragon..................................................................... 476Configure the EMS to forward syslog messages..........................................................................476Configuring syslog-ng Using Extreme Dragon EMS V7.4.0 and later.......................................... 476Configuring syslogd Using Extreme Dragon EMS V7.4.0 and earlier.......................................... 477

Extreme HiGuard Wireless IPS.......................................................................................................... 477Configuring Enterasys HiGuard ................................................................................................... 477Syslog log source parameters for Extreme HiGuard................................................................... 478

Extreme HiPath Wireless Controller..................................................................................................479

xi

Configuring your HiPath Wireless Controller............................................................................... 479Syslog log source parameters for Extreme HiPath......................................................................479

Extreme Matrix Router....................................................................................................................... 480Extreme Matrix K/N/S Series Switch................................................................................................. 480Extreme NetSight Automatic Security Manager ...............................................................................481Extreme NAC...................................................................................................................................... 482

Syslog log source parameters for Extreme NAC..........................................................................482Extreme stackable and stand-alone switches.................................................................................. 483Extreme Networks ExtremeWare...................................................................................................... 484

Syslog log source parameters for Extreme Networks ExtremeWare..........................................484Extreme XSR Security Router............................................................................................................ 485Syslog log source parameters for Extreme XSR Security Router..................................................... 485

Chapter 57. F5 Networks....................................................................................................................... 487F5 Networks BIG-IP AFM.................................................................................................................. 487

Configuring a logging pool............................................................................................................ 487Creating a high-speed log destination......................................................................................... 488Creating a formatted log destination........................................................................................... 488Creating a log publisher................................................................................................................488Creating a logging profile..............................................................................................................489Associating the profile to a virtual server.................................................................................... 489Syslog log source parameters for F5 Networks BIG-IP AFM...................................................... 490

F5 Networks BIG-IP APM.................................................................................................................. 490Configuring Remote Syslog for F5 BIG-IP APM V11.x to V14.x ................................................. 490Configuring a Remote Syslog for F5 BIG-IP APM 10.x ............................................................... 491Syslog log source parameters for F5 Networks BIG-IP APM......................................................491

Configuring F5 Networks BIG-IP ASM...............................................................................................492Syslog log source parameters for F5 Networks BIG-IP ASM......................................................492

F5 Networks BIG-IP LTM...................................................................................................................493Syslog log source parameters for F5 Networks BIG-IP LTM...................................................... 493Configuring syslog forwarding in BIG-IP LTM .............................................................................493Configuring Remote Syslog for F5 BIG-IP LTM V11.x to V14.x ..................................................494Configuring Remote Syslog for F5 BIG-IP LTM V10.x ................................................................ 494Configuring Remote Syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8................................................495

F5 Networks FirePass........................................................................................................................ 495Configuring syslog forwarding for F5 FirePass............................................................................ 495Syslog log source parameters for F5 Networks FirePass............................................................496

Chapter 58. Fair Warning.........................................................................................................................497Log File log source parameters for Fair Warning...............................................................................497

Chapter 59. Fasoo Enterprise DRM......................................................................................................... 499Configuring Fasoo Enterprise DRM to communicate with QRadar................................................... 503

Chapter 60. Fidelis XPS........................................................................................................................... 505Configuring Fidelis XPS...................................................................................................................... 505Syslog log source parameters for Fidelis XPS...................................................................................506

Chapter 61. FireEye................................................................................................................................. 507Configuring your FireEye system for communication with QRadar..................................................509Configuring your FireEye HX system for communication with QRadar............................................ 509

Chapter 62. Forcepoint............................................................................................................................511FORCEPOINT Stonesoft Management Center...................................................................................511

Configuring FORCEPOINT Stonesoft Management Center to communicate with QRadar.........512Configuring a syslog traffic rule for FORCEPOINT Stonesoft Management Center....................513

Forcepoint Sidewinder....................................................................................................................... 514Forcepoint Sidewinder DSM specifications................................................................................. 515

xii

Configure Forcepoint Sidewinder to communicate with QRadar................................................515Sample event messages...............................................................................................................515

Forcepoint TRITON............................................................................................................................ 516Configuring syslog for Forcepoint TRITON.................................................................................. 517Syslog log source parameters for Forcepoint TRITON................................................................517

Forcepoint V-Series Data Security Suite........................................................................................... 518Configuring syslog for Forcepoint V-Series Data Security Suite................................................. 518Syslog log source parameters for Forcepoint V-Series Data Security Suite............................... 518

Forcepoint V-Series Content Gateway.............................................................................................. 519Configure syslog for Forcepoint V-Series Content Gateway....................................................... 519Configuring the Management Console for Forcepoint V-Series Content Gateway.....................519Enabling Event Logging for Forcepoint V-Series Content Gateway............................................ 520Syslog log source parameters for Forcepoint V-Series Content Gateway..................................520Log file protocol for Forcepoint V-Series Content Gateway........................................................ 521

Chapter 63. ForeScout CounterACT.......................................................................................................523Syslog log source parameters for ForeScout CounterACT................................................................523Configuring the ForeScout CounterACT Plug-in................................................................................ 523Configuring ForeScout CounterACT Policies..................................................................................... 524

Chapter 64. Fortinet FortiGate Security Gateway.................................................................................. 527Configuring a syslog destination on your Fortinet FortiGate Security Gateway device................... 528Configuring a syslog destination on your Fortinet FortiAnalyzer device.......................................... 529Sample event message...................................................................................................................... 529

Chapter 65. Foundry FastIron ................................................................................................................ 531Configuring syslog for Foundry FastIron........................................................................................... 531Syslog log source parameters for Foundry FastIron.........................................................................531

Chapter 66. FreeRADIUS.........................................................................................................................533Configuring your FreeRADIUS device to communicate with QRadar............................................... 533

Chapter 67. Generic.................................................................................................................................535Generic Authorization Server.............................................................................................................535

Configuring event properties .......................................................................................................535Syslog log source parameters for Generic Authorization Server................................................ 537

Generic Firewall................................................................................................................................. 537Configuring event properties .......................................................................................................537Syslog log source parameters for Generic Firewall.....................................................................539

Chapter 68. genua genugate................................................................................................................... 541Configuring genua genugate to send events to QRadar....................................................................542

Chapter 69. Google Cloud Audit Logs..................................................................................................... 543Google Cloud Audit Logs DSM specifications....................................................................................543Configuring Google Cloud Audit Logs to communicate with QRadar............................................... 544Google Cloud Pub/Sub protocol log source parameters for Google Cloud Audit Logs.................... 544Sample event messages.................................................................................................................... 545

Chapter 70. Google G Suite Activity Reports.......................................................................................... 547Google G Suite Activity Reports DSM specifications.........................................................................547Configuring Google G Suite Activity Reports to communicate with QRadar.................................... 548Assign a role to a user........................................................................................................................ 548Create a service account with viewer access....................................................................................550Grant API client access to a service account.................................................................................... 550Google G Suite Activity Reports log source parameters...................................................................551Sample event messages.................................................................................................................... 552Troubleshooting Google G Suite Activity Reports.............................................................................553

xiii

Invalid private keys...................................................................................................................... 553Authorization errors......................................................................................................................554Invalid email or username errors.................................................................................................554Invalid JSON formatting............................................................................................................... 555Network errors..............................................................................................................................555Google G Suite Activity Reports FAQ............................................................................................555

Chapter 71. Great Bay Beacon................................................................................................................557Configuring syslog for Great Bay Beacon.......................................................................................... 557Syslog log source parameters for Great Bay Beacon........................................................................557

Chapter 72. HBGary Active Defense...................................................................................................... 559Configuring HBGary Active Defense.................................................................................................. 559Syslog log source parameters for HBGary Active Defense............................................................... 559

Chapter 73. H3C Technologies...............................................................................................................561H3C Comware Platform..................................................................................................................... 561

Configuring H3C Comware Platform to communicate with QRadar........................................... 562

Chapter 74. Honeycomb Lexicon File Integrity Monitor (FIM)..............................................................563Supported Honeycomb FIM event types logged by QRadar.............................................................563Configuring the Lexicon mesh service...............................................................................................564Syslog log source parameters for Honeycomb Lexicon File Integrity Monitor................................ 564

Chapter 75. Hewlett Packard (HP)..........................................................................................................567HP Network Automation.................................................................................................................... 567Configuring HP Network Automation Software to communicate with QRadar................................568HP ProCurve....................................................................................................................................... 569

Syslog log source parameters for HP ProCurve...........................................................................569HP Tandem.........................................................................................................................................570Hewlett Packard UniX (HP-UX)..........................................................................................................570

Syslog log source parameters for Hewlett Packard UniX (HP-UX)............................................. 571

Chapter 76. Huawei................................................................................................................................. 573Huawei AR Series Router................................................................................................................... 573

Syslog log source parameters for Huawei AR Series Router.......................................................573Configuring Your Huawei AR Series Router................................................................................. 574

Huawei S Series Switch......................................................................................................................574Syslog log source parameters for Huawei S Series Switch......................................................... 575Configuring Your Huawei S Series Switch....................................................................................575Sample event message................................................................................................................ 576

Chapter 77. HyTrust CloudControl..........................................................................................................577Configuring HyTrust CloudControl to communicate with QRadar.................................................... 578

Chapter 78. IBM .....................................................................................................................................579IBM AIX.............................................................................................................................................. 579

IBM AIX Server DSM overview..................................................................................................... 579IBM AIX Audit DSM overview....................................................................................................... 580

IBM i................................................................................................................................................... 585Configuring IBM i to integrate with IBM QRadar......................................................................... 586Manually extracting journal entries for IBM i...............................................................................587Pulling Data Using Log File Protocol............................................................................................ 588Configuring Townsend Security Alliance LogAgent to integrate with QRadar............................589

IBM BigFix.......................................................................................................................................... 589IBM BigFix Detect.............................................................................................................................. 590IBM Bluemix Platform........................................................................................................................590

Configuring IBM Bluemix Platform to communicate with QRadar..............................................591

xiv

IBM CICS............................................................................................................................................ 593Create a log source for near real-time event feed.......................................................................594Log File log source parameter......................................................................................................594

IBM Cloud Identity.............................................................................................................................598IBM Cloud Identity DSM specifications....................................................................................... 599Configuring IBM Cloud Identity server to send events to QRadar.............................................. 599IBM Cloud Identity Event Service log source parameters for IBM Cloud Identity.....................599Sample event messages...............................................................................................................600

IBM DataPower.................................................................................................................................. 603Configuring IBM DataPower to communicate with QRadar........................................................ 604

IBM DB2............................................................................................................................................. 605Create a log source for near real-time event feed.......................................................................606Log File log source parameter......................................................................................................606Integrating IBM DB2 Audit Events............................................................................................... 610Extracting audit data for DB2 v8.x to v9.4................................................................................... 611Extracting audit data for DB2 v9.5...............................................................................................611

IBM Federated Directory Server ....................................................................................................... 612Configuring IBM Federated Directory Server to monitor security events...................................613

IBM Fiberlink MaaS360..................................................................................................................... 613IBM Fiberlink REST API log source parameters for IBM Fiberlink MaaS360............................. 614

IBM Guardium.................................................................................................................................... 615Creating a syslog destination for events......................................................................................615Configuring policies to generate syslog events........................................................................... 616Installing an IBM Guardium Policy ..............................................................................................617Syslog log source parameters for IBM Guardium........................................................................617Creating an event map for IBM Guardium events....................................................................... 618Modifying the event map.............................................................................................................. 618

IBM IMS..............................................................................................................................................619Configuring IBM IMS ....................................................................................................................620Log File log source parameters for IBM IMS............................................................................... 622

IBM Informix Audit.............................................................................................................................622IBM Lotus Domino..............................................................................................................................623

Setting Up SNMP Services............................................................................................................623Setting up SNMP in AIX................................................................................................................ 623Starting the Domino Server Add-in Tasks....................................................................................624Configuring SNMP Services.......................................................................................................... 624SNMPv2 log source parameters for IBM Lotus Domino.............................................................. 625

IBM Privileged Session Recorder...................................................................................................... 625Configuring IBM Privileged Session Recorder to communicate with QRadar............................ 627JDBC log source parameters for IBM Privileged Session Recorder............................................627

IBM Proventia.....................................................................................................................................627IBM Proventia Management SiteProtector.................................................................................. 627JDBC log source parameters for IBM Proventia Management SiteProtector.............................628IBM ISS Proventia ........................................................................................................................629

IBM QRadar Packet Capture..............................................................................................................630Configuring IBM QRadar Packet Capture to communicate with QRadar....................................631Configuring IBM QRadar Network Packet Capture to communicate with QRadar.....................632

IBM RACF........................................................................................................................................... 632Log File log source parameter......................................................................................................633Create a log source for near real-time event feed.......................................................................637Integrate IBM RACF with IBM QRadar by using audit scripts.....................................................638Configuring IBM RACF that uses audit scripts to integrate with IBM QRadar............................638

IBM SAN Volume Controller...............................................................................................................640Configuring IBM SAN Volume Controller to communicate with QRadar.................................... 642

IBM Security Access Manager for Enterprise Single Sign-On...........................................................642Configuring a log server type........................................................................................................642Configuring syslog forwarding......................................................................................................643

xv

Syslog log source parameters for IBM Security Access Manager for Enterprise Single Sign-On.............................................................................................................................................643

IBM Security Access Manager for Mobile..........................................................................................644Configuring IBM Security Access Manager for Mobile to communicate with QRadar................646Configuring IBM IDaaS Platform to communicate with QRadar................................................. 647Configuring an IBM IDaaS console to communicate with QRadar..............................................647

IBM Security Directory Server........................................................................................................... 647IBM Security Directory Server DSM specifications......................................................................648Configuring IBM Security Directory Server to communicate with QRadar................................. 648Syslog log source parameters for IBM Security Directory Server .............................................. 649

IBM Security Identity Governance.................................................................................................... 650JDBC log source parameters for IBM Security Identity Governance............................................... 652IBM Security Identity Manager..........................................................................................................653

IBM Security Identity Manager JDBC log source parameters for IBM Security IdentityManager................................................................................................................................... 653

IBM Security Network IPS (GX)......................................................................................................... 657Configuring your IBM Security Network IPS (GX) appliance for communication with QRadar..658Syslog log source parameters for IBM Security Network IPS (GX).............................................658

IBM QRadar Network Security XGS................................................................................................... 659Configuring IBM QRadar Network Security XGS Alerts............................................................... 659Syslog log source parameters for IBM QRadar Network Security XGS.......................................660

IBM Security Privileged Identity Manager.........................................................................................661Configuring IBM Security Privileged Identity Manager to communicate with QRadar...............664Sample event message................................................................................................