IBM QRadar

DSM Configuration GuideMarch 2020

IBM

Note

Before using this information and the product that it supports, read the information in “Notices” onpage 1193.

Product information

This document applies to IBM® QRadar® Security Intelligence Platform V7.2.1 and subsequent releases unlesssuperseded by an updated version of this document.© Copyright International Business Machines Corporation 2005, 2020.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.

Contents

About this DSM Configuration Guide.................................................................. xxix

Part 1. QRadar DSM installation and log source management..................................1

Chapter 1. Event collection from third-party devices.................................................................................3Adding a DSM..........................................................................................................................................4

Chapter 2. Introduction to log source management...................................................................................5Adding a log source................................................................................................................................ 5Adding a log source by using the Log Sources icon...............................................................................7Adding bulk log sources......................................................................................................................... 8Adding bulk log sources by using the Log Sources icon........................................................................9Editing bulk log sources....................................................................................................................... 10Editing bulk log sources by using the Log Sources icon......................................................................10Adding a log source parsing order....................................................................................................... 11Testing log sources.............................................................................................................................. 11

Protocols available for testing........................................................................................................12

Chapter 3. Log source extensions............................................................................................................. 13Building a Universal DSM..................................................................................................................... 13Building a Universal DSM by using the Log Sources icon....................................................................14Exporting the logs ................................................................................................................................14Examples of log source extensions on QRadar forum ........................................................................16Patterns in log source extension documents...................................................................................... 16Match groups ....................................................................................................................................... 17

Matcher (matcher).......................................................................................................................... 18JSON matcher (json-matcher)....................................................................................................... 22LEEF matcher (leef-matcher)......................................................................................................... 26CEF matcher (cef-matcher)............................................................................................................ 27Multi-event modifier (event-match-multiple)........................................................................27Single-event modifier (event-match-single).......................................................................... 28

Extension document template.............................................................................................................29Creating a log source extensions document to get data into QRadar................................................ 31

Common regular expressions ........................................................................................................32Building regular expression patterns ............................................................................................ 33Uploading extension documents to QRadar.................................................................................. 35

Parsing issues and examples...............................................................................................................35Parsing a CSV log format ................................................................................................................38

Chapter 4. Manage log source extensions................................................................................................ 39Adding a log source extension............................................................................................................. 39

Chapter 5. Threat use cases by log source type....................................................................................... 41

Chapter 6. Troubleshooting DSMs.............................................................................................................53

Part 2. Protocols..................................................................................................55

Chapter 7. Undocumented Protocols........................................................................................................57Configuring an undocumented protocol.............................................................................................. 57

iii

Chapter 8. Protocol configuration options................................................................................................ 59Akamai Kona REST API protocol configuration options......................................................................59Amazon AWS S3 REST API protocol configuration options................................................................ 60Amazon Web Services protocol configuration options....................................................................... 65Apache Kafka protocol configuration options..................................................................................... 73

Configuring Apache Kafka to enable Client Authentication.......................................................... 76Configuring Apache Kafka to enable SASL Authentication............................................................79Troubleshooting Apache Kafka ..................................................................................................... 81

Blue Coat Web Security Service REST API protocol configuration options........................................81Centrify Redrock REST API protocol configuration options................................................................82Cisco Firepower eStreamer protocol configuration options............................................................... 83Cisco NSEL protocol configuration options......................................................................................... 84EMC VMware protocol configuration options...................................................................................... 85Forwarded protocol configuration options.......................................................................................... 86Google Cloud Pub/Sub protocol configuration options.......................................................................86

Configuring Google Cloud Pub/Sub to integrate with QRadar.......................................................88Creating a Pub/Sub Topic and Subscription in the Google Cloud Console................................... 88Creating a service account and a service account key in Google Cloud Console to access

the Pub/Sub Subscription..........................................................................................................90Populating a Pub/Sub topic with data............................................................................................ 93Adding a Google Cloud Pub/Sub log source in QRadar................................................................. 94

Google G Suite Activity Reports REST API protocol options...............................................................95HTTP Receiver protocol configuration options....................................................................................96IBM BigFix SOAP protocol configuration options................................................................................96JDBC protocol configuration options...................................................................................................97JDBC - SiteProtector protocol configuration options........................................................................101Juniper Networks NSM protocol configuration options....................................................................103Juniper Security Binary Log Collector protocol configuration options.............................................103Log File protocol configuration options.............................................................................................104Microsoft Azure Event Hubs protocol configuration options............................................................ 105Microsoft DHCP protocol configuration options................................................................................107Microsoft Exchange protocol configuration options......................................................................... 109Microsoft IIS protocol configuration options.................................................................................... 111Microsoft Security Event Log protocol configuration options...........................................................113

Microsoft Security Event Log over MSRPC Protocol.................................................................... 113MQ protocol configuration options.................................................................................................... 117Okta REST API protocol configuration options................................................................................. 118OPSEC/LEA protocol configuration options...................................................................................... 118Oracle Database Listener protocol configuration options................................................................ 120PCAP Syslog Combination protocol configuration options............................................................... 121SDEE protocol configuration options.................................................................................................123SMB Tail protocol configuration options........................................................................................... 124SNMPv2 protocol configuration options............................................................................................125SNMPv3 protocol configuration options............................................................................................126Seculert Protection REST API protocol configuration options......................................................... 126Sophos Enterprise Console JDBC protocol configuration options................................................... 128Sourcefire Defense Center eStreamer protocol options...................................................................130Syslog Redirect protocol overview.................................................................................................... 130TCP multiline syslog protocol configuration options........................................................................ 131TLS syslog protocol configuration options........................................................................................ 136

Multiple log sources over TLS Syslog...........................................................................................138UDP multiline syslog protocol configuration options........................................................................139VMware vCloud Director protocol configuration options..................................................................142

Part 3. DSMs......................................................................................................143

iv

Chapter 9. 3Com Switch 8800................................................................................................................ 145Configuring your 3COM Switch 8800 ................................................................................................145

Chapter 10. AhnLab Policy Center.......................................................................................................... 147

Chapter 11. Akamai Kona........................................................................................................................149Configure an Akamai Kona log source by using the HTTP Receiver protocol.................................. 149Configuring an Akamai Kona log source by using the Akamai Kona REST API protocol................. 150Configuring Akamai Kona to communicate with QRadar..................................................................152Creating an event map for Akamai Kona events............................................................................... 152Modifying the event map for Akamai Kona........................................................................................153Sample event messages.................................................................................................................... 154

Chapter 12. Amazon AWS CloudTrail......................................................................................................157Configuring an Amazon AWS CloudTrail log source by using the Amazon AWS S3 REST API

protocol......................................................................................................................................... 158Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with an SQS

queue....................................................................................................................................... 158Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with a directory

prefix........................................................................................................................................ 170Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol. 178

Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Servicesprotocol and Kinesis Data Streams.........................................................................................179

Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Servicesprotocol and CloudWatch Logs............................................................................................... 184

Chapter 13. Amazon AWS Security Hub................................................................................................. 191Creating an IAM role for the Lambda function.................................................................................. 195Creating a Lambda function...............................................................................................................196Creating a CloudWatch events rule................................................................................................... 197Configuring the Lambda function...................................................................................................... 198Creating a log group and log stream to retrieve Amazon AWS Security Hub events for QRadar.... 200Creating an Identity and Access (IAM) user in the AWS Management Console when using

Amazon Web Services...................................................................................................................200Amazon AWS Security Hub DSM specifications................................................................................ 201Amazon AWS Security Hub Sample event messages....................................................................... 201

Chapter 14. Amazon GuardDuty............................................................................................................. 203Configuring an Amazon GuardDuty log source by using the Amazon Web Services protocol.........203

Creating an IAM role for the Lambda function.............................................................................207Creating a Lambda function......................................................................................................... 209Creating a CloudWatch events rule..............................................................................................209Configuring the Lambda function................................................................................................. 210

Creating a log group and log stream to retrieve Amazon GuardDuty events for QRadar................ 211Creating an Identity and Access (IAM) user in the AWS Management Console when using

Amazon Web Services...................................................................................................................212Sample event message...................................................................................................................... 212

Chapter 15. Ambiron TrustWave ipAngel ...............................................................................................215

Chapter 16. Amazon VPC Flow Logs....................................................................................................... 217Amazon VPC Flow Logs specifications.............................................................................................. 220Publishing flow logs to an S3 bucket.................................................................................................221Create the SQS queue that is used to receive ObjectCreated notifications..................................... 221Configuring security credentials for your AWS user account............................................................222

Chapter 17. APC UPS...............................................................................................................................223

v

Configuring your APC UPS to forward syslog events.........................................................................224

Chapter 18. Apache HTTP Server............................................................................................................225Configuring Apache HTTP Server with syslog................................................................................... 225Syslog log source parameters for Apache HTTP Server................................................................... 226Configuring Apache HTTP Server with syslog-ng..............................................................................226Syslog log source parameters for Apache HTTP Server................................................................... 227

Chapter 19. Apple Mac OS X................................................................................................................... 229Syslog log source parameters for Apple MAC OS X.......................................................................... 229Configuring syslog on your Apple Mac OS X......................................................................................229

Chapter 20. Application Security DbProtect..........................................................................................233Installing the DbProtect LEEF Relay Module.....................................................................................234Configuring the DbProtect LEEF Relay.............................................................................................. 234Configuring DbProtect alerts............................................................................................................. 235

Chapter 21. Arbor Networks................................................................................................................... 237Arbor Networks Peakflow SP.............................................................................................................237

Supported event types for Arbor Networks Peakflow SP ...........................................................238Configuring a remote syslog in Arbor Networks Peakflow SP.....................................................238Configuring global notifications settings for alerts in Arbor Networks Peakflow SP..................238Configuring alert notification rules in Arbor Networks Peakflow SP...........................................239Syslog log source parameters for Arbor Networks Peakflow SP................................................ 239

Arbor Networks Pravail...................................................................................................................... 240Configuring your Arbor Networks Pravail system to send events to IBM QRadar......................241

Chapter 22. Arpeggio SIFT-IT................................................................................................................ 243Configuring a SIFT-IT agent...............................................................................................................243Syslog log source parameters for Arpeggio SIFT-IT.........................................................................244Additional information....................................................................................................................... 244

Chapter 23. Array Networks SSL VPN.....................................................................................................247Syslog log source parameters for Array Networks SSL VPN.............................................................247

Chapter 24. Aruba Networks...................................................................................................................249Aruba ClearPass Policy Manager....................................................................................................... 249

Configuring Aruba ClearPass Policy Manager to communicate with QRadar............................. 250Aruba Introspect................................................................................................................................ 250

Configuring Aruba Introspect to communicate with QRadar...................................................... 252Aruba Mobility Controllers................................................................................................................. 253

Configuring your Aruba Mobility Controller................................................................................. 253Syslog log source parameters for Aruba Mobility Controllers.....................................................253

Chapter 25. Avaya VPN Gateway........................................................................................................... 255Avaya VPN Gateway DSM integration process..................................................................................255Configuring your Avaya VPN Gateway system for communication with IBM QRadar..................... 256Syslog log source parameters for Avaya VPN Gateway.................................................................... 256

Chapter 26. BalaBit IT Security...............................................................................................................257BalaBit IT Security for Microsoft Windows Events............................................................................257

Configuring the Syslog-ng Agent event source............................................................................257Configuring a syslog destination.................................................................................................. 258Restarting the Syslog-ng Agent service....................................................................................... 259Syslog log source parameters for BalaBit IT Security for Microsoft Windows Events............... 259

BalaBit IT Security for Microsoft ISA or TMG Events........................................................................ 259Configure the BalaBit Syslog-ng Agent........................................................................................260Configuring the BalaBit Syslog-ng Agent file source................................................................... 260

vi

Configuring a BalaBit Syslog-ng Agent syslog destination..........................................................261Filtering the log file for comment lines........................................................................................ 261Configuring a BalaBit Syslog-ng PE Relay....................................................................................262Syslog log source parameters for BalaBit IT Security for Microsoft ISA or TMG Events............263

Chapter 27. Barracuda............................................................................................................................ 265Barracuda Spam & Virus Firewall...................................................................................................... 265

Configuring syslog event forwarding............................................................................................265Syslog log source parameters for Barracuda Spam Firewall...................................................... 265

Barracuda Web Application Firewall................................................................................................. 266Configuring Barracuda Web Application Firewall to send syslog events to QRadar.................. 267Configuring Barracuda Web Application Firewall to send syslog events to QRadar for

devices that do not support LEEF .......................................................................................... 267Barracuda Web Filter......................................................................................................................... 268

Configuring syslog event forwarding............................................................................................269Syslog log source parameters for Barracuda Web Filter.............................................................269

Chapter 28. BeyondTrust PowerBroker..................................................................................................271Syslog log source parameters for BeyondTrust PowerBroker..........................................................271TLS Syslog log source parameters for BeyondTrust PowerBroker...................................................272Configuring BeyondTrust PowerBroker to communicate with QRadar............................................ 272BeyondTrust PowerBroker DSM specifications................................................................................ 274Sample event messages.................................................................................................................... 274

Chapter 29. BlueCat Networks Adonis................................................................................................... 277Supported event types.......................................................................................................................277Event type format...............................................................................................................................277Configuring BlueCat Adonis............................................................................................................... 278Syslog log source parameters for BlueCat Networks Adonis........................................................... 278

Chapter 30. Blue Coat............................................................................................................................. 279Blue Coat SG.......................................................................................................................................279

Creating a custom event format...................................................................................................280Creating a log facility.................................................................................................................... 281Enabling access logging............................................................................................................... 281Configuring Blue Coat SG for FTP uploads...................................................................................282Syslog log source parameters for Blue Coat SG.......................................................................... 282Log File log source parameters for Blue Coat SG........................................................................ 283Configuring Blue Coat SG for syslog.............................................................................................286Creating extra custom format key-value pairs............................................................................ 286

Blue Coat Web Security Service.........................................................................................................286Configuring Blue Coat Web Security Service to communicate with QRadar.............................. 288

Chapter 31. Box....................................................................................................................................... 289Configuring Box to communicate with QRadar................................................................................. 290

Chapter 32. Bridgewater......................................................................................................................... 293Configuring Syslog for your Bridgewater Systems Device................................................................ 293Syslog log source parameters for Bridgewater Systems.................................................................. 293

Chapter 33. Brocade Fabric OS............................................................................................................... 295Configuring syslog for Brocade Fabric OS appliances.......................................................................295

Chapter 34. CA Technologies................................................................................................................. 297CA ACF2..............................................................................................................................................297

Create a log source for near real-time event feed.......................................................................298Log File log source parameter......................................................................................................298Integrate CA ACF2 with IBM QRadar by using audit scripts....................................................... 302

vii

Configuring CA ACF2 that uses audit scripts to integrate with IBM QRadar.............................. 303CA SiteMinder.....................................................................................................................................306

Syslog log source parameters for CA SiteMinder........................................................................ 306Configuring Syslog-ng for CA SiteMinder..................................................................................... 307

CA Top Secret.....................................................................................................................................308Log File log source parameter......................................................................................................309Create a log source for near real-time event feed.......................................................................313Integrate CA Top Secret with IBM QRadar by using audit scripts.............................................. 313Configuring CA Top Secret that uses audit scripts to integrate with IBM QRadar..................... 313

Chapter 35. Carbon Black.......................................................................................................................317Carbon Black...................................................................................................................................... 317

Configuring Carbon Black to communicate with QRadar............................................................ 318Carbon Black Protection.................................................................................................................... 319

Configuring Carbon Black Protection to communicate with QRadar.......................................... 320Carbon Black Bit9 Parity.................................................................................................................... 321

Syslog log source parameters for Carbon Black Bit9 Parity........................................................321Bit9 Security Platform........................................................................................................................321

Configuring Carbon Black Bit9 Security Platform to communicate with QRadar....................... 322

Chapter 36. Centrify................................................................................................................................ 323Centrify Identity Platform.................................................................................................................. 323

Centrify Identity Platform DSM specifications............................................................................ 324Configuring Centrify Identity Platform to communicate with QRadar........................................ 325Sample event message................................................................................................................ 326

Centrify Infrastructure Services........................................................................................................ 326Configuring WinCollect agent to collect event logs from Centrify Infrastructure Services........328Configuring Centrify Infrastructure Services on a UNIX or Linux device to communicate

with QRadar ............................................................................................................................ 329Sample event messages...............................................................................................................330

Chapter 37. Check Point..........................................................................................................................333Check Point.........................................................................................................................................333

Integration of Check Point by using OPSEC.................................................................................333Adding a Check Point Host........................................................................................................... 334Creating an OPSEC Application Object........................................................................................ 334Locating the log source SIC..........................................................................................................335OPSEC/LEA log source parameters for Check Point....................................................................335Edit your OPSEC communications configuration.........................................................................336Changing the default port for OPSEC LEA communication......................................................... 336Configuring OPSEC LEA for unencrypted communications.........................................................337Integration of Check Point Firewall events from external syslog forwarders............................ 338Configuring Check Point to forward LEEF events to QRadar....................................................... 339Sample event messages...............................................................................................................341

Check Point Multi-Domain Management (Provider-1)...................................................................... 342Integrating syslog for Check Point Multi-Domain Management (Provider-1)............................ 342Syslog log source parameters for Check Point Multi-Domain Management (Provider-1)..........343Configuring OPSEC for Check Point Multi-Domain Management (Provider-1) .......................... 343OPSEC/LEA log source parameters for Check Point Multi-Domain Management (Provider-1). 344Configuring Check Point to forward LEEF events to QRadar....................................................... 344

Chapter 38. Cilasoft QJRN/400...............................................................................................................347Configuring Cilasoft QJRN/400..........................................................................................................347Syslog log source parameters for Cilasoft QJRN/400...................................................................... 348

Chapter 39. Cisco ...................................................................................................................................351Cisco ACE Firewall..............................................................................................................................351

Configuring Cisco ACE Firewall.................................................................................................... 351

viii

Syslog log source parameters for Cisco ACE Firewall................................................................. 351Cisco ACS............................................................................................................................................352

Configuring Syslog for Cisco ACS v5.x..........................................................................................352Creating a Remote Log Target......................................................................................................352Configuring global logging categories.......................................................................................... 353Syslog log source parameters for Cisco ACS v5.x....................................................................... 353Configuring Syslog for Cisco ACS v4.x..........................................................................................354Configuring syslog forwarding for Cisco ACS v4.x....................................................................... 354Syslog log source parameters for Cisco ACS v4.x....................................................................... 355UDP Multiline Syslog log source parameters for Cisco ACS........................................................355

Cisco Aironet...................................................................................................................................... 356Syslog log source parameters for Cisco Aironet..........................................................................357

Cisco ASA........................................................................................................................................... 357Integrate Cisco ASA Using Syslog................................................................................................ 357Configuring syslog forwarding......................................................................................................358Syslog log source parameters for Cisco ASA............................................................................... 358Integrate Cisco ASA for NetFlow by using NSEL......................................................................... 359Configuring NetFlow Using NSEL................................................................................................. 359Cisco NSEL log source parameters for Cisco ASA....................................................................... 360

Cisco AMP...........................................................................................................................................361Cisco AMP DSM specifications..................................................................................................... 361Creating a Cisco AMP Client ID and API key for event queues................................................... 362Creating a Cisco AMP event stream............................................................................................. 363Configure a log source for a user to manage the Cisco AMP event stream................................ 364Sample event message................................................................................................................ 365

Cisco CallManager..............................................................................................................................366Configuring syslog forwarding .....................................................................................................366Syslog log source parameters for Cisco CallManager................................................................. 367

Cisco CatOS for Catalyst Switches.....................................................................................................367Configuring syslog ........................................................................................................................367Syslog log source parameters for Cisco CatOS for Catalyst Switches........................................ 368

Cisco Cloud Web Security.................................................................................................................. 368Configuring Cloud Web Security to communicate with QRadar ................................................. 370

Cisco CSA............................................................................................................................................371Configuring syslog for Cisco CSA..................................................................................................371Syslog log source parameters for Cisco CSA............................................................................... 372

Cisco Firepower Management Center............................................................................................... 372Creating Cisco Firepower Management Center 5.x and 6.x certificates.....................................374Importing a Cisco Firepower Management Center certificate in QRadar................................... 376Configure your Cisco Firepower appliance to send intrusion or connection events to

QRadar by using Syslog........................................................................................................... 377Cisco Firepower Management Center log source parameters....................................................378

Cisco FWSM........................................................................................................................................378Configuring Cisco FWSM to forward syslog events......................................................................378Syslog log source parameters for Cisco FWSM........................................................................... 379

Cisco Identity Services Engine.......................................................................................................... 379Configuring a remote logging target in Cisco ISE........................................................................ 382Configuring logging categories in Cisco ISE.................................................................................382

Cisco IDS/IPS..................................................................................................................................... 383SDEE log source parameters for Cisco IDS/IPS.......................................................................... 383

Cisco IOS............................................................................................................................................ 385Configuring Cisco IOS to forward events..................................................................................... 385Syslog log source parameters for Cisco IOS................................................................................386

Cisco IronPort.....................................................................................................................................387Cisco IronPort DSM specifications............................................................................................... 387Configuring Cisco IronPort appliances to communicate with QRadar........................................388Configuring a Cisco IronPort and Cisco ESA log source by using the log file protocol............... 388Configuring a Cisco IronPort and Cisco WSA log source by using the Syslog protocol.............. 391

ix

Sample event messages...............................................................................................................392Cisco Meraki....................................................................................................................................... 392

Cisco Meraki DSM specifications..................................................................................................393Configure Cisco Meraki to communicate with IBM QRadar ....................................................... 394Sample event messages...............................................................................................................394

Cisco NAC........................................................................................................................................... 396Configuring Cisco NAC to forward events.................................................................................... 396Syslog log source parameters for Cisco NAC...............................................................................396

Cisco Nexus........................................................................................................................................ 397Configuring Cisco Nexus to forward events................................................................................. 397Syslog log source parameters for Cisco Nexus............................................................................397

Cisco Pix............................................................................................................................................. 398Configuring Cisco Pix to forward events...................................................................................... 398Syslog log source parameters for Cisco Pix.................................................................................399

Cisco Stealthwatch.............................................................................................................................399Configuring Cisco Stealthwatch to communicate with QRadar.................................................. 400

Cisco Umbrella................................................................................................................................... 401Configure Cisco Umbrella to communicate with QRadar............................................................ 404Cisco Umbrella DSM specifications..............................................................................................404Sample event messages...............................................................................................................404

Cisco VPN 3000 Concentrator .......................................................................................................... 405Syslog log source parameters for Cisco VPN 3000 Concentrator...............................................405

Cisco Wireless LAN Controllers......................................................................................................... 406Configuring syslog for Cisco Wireless LAN Controller................................................................. 406Syslog log source parameters for Cisco Wireless LAN Controllers.............................................407Configuring SNMPv2 for Cisco Wireless LAN Controller..............................................................408Configuring a trap receiver for Cisco Wireless LAN Controller....................................................409SNMPv2 log source parameters for Cisco Wireless LAN Controllers..........................................409

Cisco Wireless Services Module........................................................................................................ 410Configuring Cisco WiSM to forward events.................................................................................. 411Syslog log source parameters for Cisco WiSM.............................................................................412

Chapter 40. Citrix.....................................................................................................................................415Citrix Access Gateway........................................................................................................................415

Syslog log source parameters for Citrix Access Gateway........................................................... 415Citrix NetScaler.................................................................................................................................. 416

Syslog log source parameters for Citrix NetScaler...................................................................... 417

Chapter 41. Cloudera Navigator..............................................................................................................419Configuring Cloudera Navigator to communicate with QRadar........................................................420

Chapter 42. CloudPassage Halo .............................................................................................................421Configuring CloudPassage Halo for communication with QRadar....................................................421Syslog log source parameters for CloudPassage Halo..................................................................... 423Log File log source parameters for CloudPassage Halo....................................................................423

Chapter 43. CloudLock Cloud Security Fabric........................................................................................ 425Configuring CloudLock Cloud Security Fabric to communicate with QRadar...................................426

Chapter 44. Correlog Agent for IBM z/OS...............................................................................................427Configuring your CorreLog Agent system for communication with QRadar.....................................428

Chapter 45. CrowdStrike Falcon Host.....................................................................................................429Configuring CrowdStrike Falcon Host to communicate with QRadar...............................................430

Chapter 46. CRYPTOCard CRYPTO-Shield ............................................................................................433Configuring syslog for CRYPTOCard CRYPTO-Shield ....................................................................... 433Syslog log source parameters for CRYPTOCard CRYPTO-Shield..................................................... 433

x

Chapter 47. CyberArk............................................................................................................................. 435CyberArk Privileged Threat Analytics................................................................................................ 435

Configuring CyberArk Privileged Threat Analytics to communicate with QRadar...................... 436CyberArk Vault....................................................................................................................................436

Configuring syslog for CyberArk Vault..........................................................................................437Syslog log source parameters for CyberArk Vault....................................................................... 437

Chapter 48. CyberGuard Firewall/VPN Appliance..................................................................................439Configuring syslog events.................................................................................................................. 439Syslog log source parameters for CyberGuard................................................................................. 439

Chapter 49. Damballa Failsafe................................................................................................................ 441Configuring syslog for Damballa Failsafe ......................................................................................... 441Syslog log source parameters for Damballa Failsafe........................................................................441

Chapter 50. DG Technology MEAS......................................................................................................... 443Configuring your DG Technology MEAS system for communication with QRadar...........................443

Chapter 51. Digital China Networks (DCN)............................................................................................. 445Configuring a DCN DCS/DCRS Series Switch.....................................................................................445Syslog log source parameters for DCN DCS/DCRS Series switches.................................................446

Chapter 52. Enterprise-IT-Security.com SF-Sherlock........................................................................... 447Configuring Enterprise-IT-Security.com SF-Sherlock to communicate with QRadar..................... 448

Chapter 53. Epic SIEM.............................................................................................................................449Configuring Epic SIEM 2014 to communicate with QRadar............................................................. 450Configuring Epic SIEM 2015 to communicate with QRadar............................................................. 450Configuring Epic SIEM 2017 to communicate with QRadar............................................................. 452

Chapter 54. ESET Remote Administrator............................................................................................... 455Configuring ESET Remote Administrator to communicate with QRadar..........................................456

Chapter 55. Exabeam.............................................................................................................................. 457Configuring Exabeam to communicate with QRadar........................................................................ 457

Chapter 56. Extreme...............................................................................................................................459Extreme 800-Series Switch............................................................................................................... 459

Configuring your Extreme 800-Series Switch..............................................................................459Syslog log source parameters for Extreme 800-Series Switches...............................................459

Extreme Dragon................................................................................................................................. 460Creating a Policy for Syslog ......................................................................................................... 460Syslog log source parameters for Extreme Dragon..................................................................... 462Configure the EMS to forward syslog messages..........................................................................462Configuring syslog-ng Using Extreme Dragon EMS V7.4.0 and later.......................................... 462Configuring syslogd Using Extreme Dragon EMS V7.4.0 and earlier.......................................... 463

Extreme HiGuard Wireless IPS.......................................................................................................... 463Configuring Enterasys HiGuard ................................................................................................... 463Syslog log source parameters for Extreme HiGuard................................................................... 464

Extreme HiPath Wireless Controller..................................................................................................465Configuring your HiPath Wireless Controller............................................................................... 465Syslog log source parameters for Extreme HiPath......................................................................465

Extreme Matrix Router....................................................................................................................... 466Extreme Matrix K/N/S Series Switch................................................................................................. 466Extreme NetSight Automatic Security Manager ...............................................................................467Extreme NAC...................................................................................................................................... 468

Syslog log source parameters for Extreme NAC..........................................................................468

xi

Extreme stackable and stand-alone switches.................................................................................. 469Extreme Networks ExtremeWare...................................................................................................... 470

Syslog log source parameters for Extreme Networks ExtremeWare..........................................470Extreme XSR Security Router............................................................................................................ 471Syslog log source parameters for Extreme XSR Security Router..................................................... 471

Chapter 57. F5 Networks....................................................................................................................... 473F5 Networks BIG-IP AFM.................................................................................................................. 473

Configuring a logging pool............................................................................................................ 473Creating a high-speed log destination......................................................................................... 474Creating a formatted log destination........................................................................................... 474Creating a log publisher................................................................................................................474Creating a logging profile..............................................................................................................475Associating the profile to a virtual server.................................................................................... 475Syslog log source parameters for F5 Networks BIG-IP AFM...................................................... 476

F5 Networks BIG-IP APM.................................................................................................................. 476Configuring Remote Syslog for F5 BIG-IP APM V11.x to V14.x ................................................. 476Configuring a Remote Syslog for F5 BIG-IP APM 10.x ............................................................... 477Syslog log source parameters for F5 Networks BIG-IP APM......................................................477

Configuring F5 Networks BIG-IP ASM...............................................................................................478Syslog log source parameters for F5 Networks BIG-IP ASM......................................................478

F5 Networks BIG-IP LTM...................................................................................................................479Syslog log source parameters for F5 Networks BIG-IP LTM...................................................... 479Configuring syslog forwarding in BIG-IP LTM .............................................................................479Configuring Remote Syslog for F5 BIG-IP LTM V11.x to V14.x ..................................................480Configuring Remote Syslog for F5 BIG-IP LTM V10.x ................................................................ 480Configuring Remote Syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8................................................481

F5 Networks FirePass........................................................................................................................ 481Configuring syslog forwarding for F5 FirePass............................................................................ 481Syslog log source parameters for F5 Networks FirePass............................................................482

Chapter 58. Fair Warning.........................................................................................................................483Log File log source parameters for Fair Warning...............................................................................483

Chapter 59. Fasoo Enterprise DRM......................................................................................................... 485Configuring Fasoo Enterprise DRM to communicate with QRadar................................................... 489

Chapter 60. Fidelis XPS........................................................................................................................... 491Configuring Fidelis XPS...................................................................................................................... 491Syslog log source parameters for Fidelis XPS...................................................................................492

Chapter 61. FireEye................................................................................................................................. 493Configuring your FireEye system for communication with QRadar..................................................495Configuring your FireEye HX system for communication with QRadar............................................ 495

Chapter 62. Forcepoint............................................................................................................................497FORCEPOINT Stonesoft Management Center...................................................................................497

Configuring FORCEPOINT Stonesoft Management Center to communicate with QRadar.........498Configuring a syslog traffic rule for FORCEPOINT Stonesoft Management Center....................499

Forcepoint Sidewinder....................................................................................................................... 500Forcepoint Sidewinder DSM specifications................................................................................. 501Configure Forcepoint Sidewinder to communicate with QRadar................................................501Sample event messages...............................................................................................................501

Forcepoint TRITON............................................................................................................................ 502Configuring syslog for Forcepoint TRITON.................................................................................. 503Syslog log source parameters for Forcepoint TRITON................................................................503

Forcepoint V-Series Data Security Suite........................................................................................... 504Configuring syslog for Forcepoint V-Series Data Security Suite................................................. 504

xii

Syslog log source parameters for Forcepoint V-Series Data Security Suite............................... 504Forcepoint V-Series Content Gateway.............................................................................................. 505

Configure syslog for Forcepoint V-Series Content Gateway....................................................... 505Configuring the Management Console for Forcepoint V-Series Content Gateway.....................505Enabling Event Logging for Forcepoint V-Series Content Gateway............................................ 506Syslog log source parameters for Forcepoint V-Series Content Gateway..................................506Log file protocol for Forcepoint V-Series Content Gateway........................................................ 507

Chapter 63. ForeScout CounterACT.......................................................................................................509Syslog log source parameters for ForeScout CounterACT................................................................509Configuring the ForeScout CounterACT Plug-in................................................................................ 509Configuring ForeScout CounterACT Policies..................................................................................... 510

Chapter 64. Fortinet FortiGate Security Gateway.................................................................................. 513Configuring a syslog destination on your Fortinet FortiGate Security Gateway device................... 514Configuring a syslog destination on your Fortinet FortiAnalyzer device.......................................... 514

Chapter 65. Foundry FastIron ................................................................................................................ 517Configuring syslog for Foundry FastIron........................................................................................... 517Syslog log source parameters for Foundry FastIron.........................................................................517

Chapter 66. FreeRADIUS.........................................................................................................................519Configuring your FreeRADIUS device to communicate with QRadar............................................... 519

Chapter 67. Generic.................................................................................................................................521Generic Authorization Server.............................................................................................................521

Configuring event properties .......................................................................................................521Syslog log source parameters for Generic Authorization Server................................................ 523

Generic Firewall................................................................................................................................. 523Configuring event properties .......................................................................................................523Syslog log source parameters for Generic Firewall.....................................................................525

Chapter 68. genua genugate................................................................................................................... 527Configuring genua genugate to send events to QRadar....................................................................528

Chapter 69. Google G Suite Activity Reports.......................................................................................... 529Google G Suite Activity Reports DSM specifications.........................................................................529Configuring Google G Suite Activity Reports to communicate with QRadar.................................... 530Assign a role to a user........................................................................................................................ 530Create a service account with viewer access....................................................................................532Grant API client access to a service account.................................................................................... 532Google G Suite Activity Reports log source parameters...................................................................533Sample event messages.................................................................................................................... 534Troubleshooting Google G Suite Activity Reports.............................................................................535

Invalid private keys...................................................................................................................... 535Authorization errors......................................................................................................................536Invalid email or username errors.................................................................................................536Invalid JSON formatting............................................................................................................... 537Network errors..............................................................................................................................537Google G Suite Activity Reports FAQ............................................................................................537

Chapter 70. Great Bay Beacon................................................................................................................539Configuring syslog for Great Bay Beacon.......................................................................................... 539Syslog log source parameters for Great Bay Beacon........................................................................539

Chapter 71. HBGary Active Defense...................................................................................................... 541Configuring HBGary Active Defense.................................................................................................. 541Syslog log source parameters for HBGary Active Defense............................................................... 541

xiii

Chapter 72. H3C Technologies...............................................................................................................543H3C Comware Platform..................................................................................................................... 543

Configuring H3C Comware Platform to communicate with QRadar........................................... 544

Chapter 73. Honeycomb Lexicon File Integrity Monitor (FIM)..............................................................545Supported Honeycomb FIM event types logged by QRadar.............................................................545Configuring the Lexicon mesh service...............................................................................................546Syslog log source parameters for Honeycomb Lexicon File Integrity Monitor................................ 546

Chapter 74. Hewlett Packard (HP)..........................................................................................................549HP Network Automation.................................................................................................................... 549Configuring HP Network Automation Software to communicate with QRadar................................550HP ProCurve....................................................................................................................................... 551

Syslog log source parameters for HP ProCurve...........................................................................551HP Tandem.........................................................................................................................................552Hewlett Packard UniX (HP-UX)..........................................................................................................552

Syslog log source parameters for Hewlett Packard UniX (HP-UX)............................................. 553

Chapter 75. Huawei................................................................................................................................. 555Huawei AR Series Router................................................................................................................... 555

Syslog log source parameters for Huawei AR Series Router.......................................................555Configuring Your Huawei AR Series Router................................................................................. 556

Huawei S Series Switch......................................................................................................................556Syslog log source parameters for Huawei S Series Switch......................................................... 557Configuring Your Huawei S Series Switch....................................................................................557

Chapter 76. HyTrust CloudControl..........................................................................................................559Configuring HyTrust CloudControl to communicate with QRadar.................................................... 560

Chapter 77. IBM .....................................................................................................................................561IBM AIX.............................................................................................................................................. 561

IBM AIX Server DSM overview..................................................................................................... 561IBM AIX Audit DSM overview....................................................................................................... 562

IBM i................................................................................................................................................... 567Configuring IBM i to integrate with IBM QRadar......................................................................... 568Manually extracting journal entries for IBM i...............................................................................569Pulling Data Using Log File Protocol............................................................................................ 570Configuring Townsend Security Alliance LogAgent to integrate with QRadar............................571

IBM BigFix.......................................................................................................................................... 571IBM BigFix Detect.............................................................................................................................. 572IBM Bluemix Platform........................................................................................................................572

Configuring IBM Bluemix Platform to communicate with QRadar..............................................573IBM CICS............................................................................................................................................ 575

Create a log source for near real-time event feed.......................................................................576Log File log source parameter......................................................................................................576

IBM DataPower.................................................................................................................................. 580Configuring IBM DataPower to communicate with QRadar........................................................ 581

IBM DB2............................................................................................................................................. 582Create a log source for near real-time event feed.......................................................................583Log File log source parameter......................................................................................................583Integrating IBM DB2 Audit Events............................................................................................... 587Extracting audit data for DB2 v8.x to v9.4................................................................................... 588Extracting audit data for DB2 v9.5...............................................................................................588

IBM Federated Directory Server ....................................................................................................... 589Configuring IBM Federated Directory Server to monitor security events...................................590

IBM Fiberlink MaaS360..................................................................................................................... 590IBM Fiberlink REST API log source parameters for IBM Fiberlink MaaS360............................. 591

xiv

IBM Guardium.................................................................................................................................... 592Creating a syslog destination for events......................................................................................592Configuring policies to generate syslog events........................................................................... 593Installing an IBM Guardium Policy ..............................................................................................594Syslog log source parameters for IBM Guardium........................................................................594Creating an event map for IBM Guardium events....................................................................... 595Modifying the event map.............................................................................................................. 595

IBM IMS..............................................................................................................................................596Configuring IBM IMS ....................................................................................................................597Log File log source parameters for IBM IMS............................................................................... 599

IBM Informix Audit.............................................................................................................................599IBM Lotus Domino..............................................................................................................................600

Setting Up SNMP Services............................................................................................................600Setting up SNMP in AIX................................................................................................................ 600Starting the Domino Server Add-in Tasks....................................................................................601Configuring SNMP Services.......................................................................................................... 601SNMPv2 log source parameters for IBM Lotus Domino.............................................................. 602

IBM Privileged Session Recorder...................................................................................................... 602Configuring IBM Privileged Session Recorder to communicate with QRadar............................ 604JDBC log source parameters for IBM Privileged Session Recorder............................................604

IBM Proventia.....................................................................................................................................604IBM Proventia Management SiteProtector.................................................................................. 604JDBC log source parameters for IBM Proventia Management SiteProtector.............................605IBM ISS Proventia ........................................................................................................................606

IBM QRadar Packet Capture..............................................................................................................607Configuring IBM QRadar Packet Capture to communicate with QRadar....................................608Configuring IBM QRadar Network Packet Capture to communicate with QRadar.....................609

IBM RACF........................................................................................................................................... 609Log File log source parameter......................................................................................................610Create a log source for near real-time event feed.......................................................................614Integrate IBM RACF with IBM QRadar by using audit scripts.....................................................615Configuring IBM RACF that uses audit scripts to integrate with IBM QRadar............................615

IBM SAN Volume Controller...............................................................................................................617Configuring IBM SAN Volume Controller to communicate with QRadar.................................... 619

IBM Security Access Manager for Enterprise Single Sign-On...........................................................619Configuring a log server type........................................................................................................619Configuring syslog forwarding......................................................................................................620Syslog log source parameters for IBM Security Access Manager for Enterprise Single Sign-

On.............................................................................................................................................620IBM Security Access Manager for Mobile..........................................................................................621

Configuring IBM Security Access Manager for Mobile to communicate with QRadar................623Configuring IBM IDaaS Platform to communicate with QRadar................................................. 624Configuring an IBM IDaaS console to communicate with QRadar..............................................624

IBM Security Directory Server........................................................................................................... 624IBM Security Directory Server DSM specifications......................................................................625Configuring IBM Security Directory Server to communicate with QRadar................................. 625Syslog log source parameters for IBM Security Directory Server .............................................. 626

IBM Security Identity Governance.................................................................................................... 627JDBC log source parameters for IBM Security Identity Governance............................................... 629IBM Security Identity Manager..........................................................................................................630

IBM Security Identity Manager JDBC log source parameters for IBM Security IdentityManager................................................................................................................................... 630

IBM Security Network IPS (GX)......................................................................................................... 634Configuring your IBM Security Network IPS (GX) appliance for communication with QRadar..635Syslog log source parameters for IBM Security Network IPS (GX).............................................635

IBM QRadar Network Security XGS................................................................................................... 636Configuring IBM QRadar Network Security XGS Alerts............................................................... 636Syslog log source parameters for IBM QRadar Network Security XGS.......................................637

xv

IBM Security Privileged Identity Manager.........................................................................................638Configuring IBM Security Privileged Identity Manager to communicate with QRadar...............641Sample event message................................................................................................................ 642

IBM Security Trusteer Apex Advanced Malware Protection.............................................................642Configuring IBM Security Trusteer Apex Advanced Malware Protection to send syslog

events to QRadar..................................................................................................................... 646Configuring IBM Security Trusteer Apex Advanced Malware Protection to send TLS Syslog

events to QRadar..................................................................................................................... 647Configuring a Flat File Feed service............................................................................................. 649

IBM Security Trusteer Apex Local Event Aggregator........................................................................ 650Configuring syslog for Trusteer Apex Local Event Aggregator.................................................... 650

IBM Sense.......................................................................................................................................... 651Configuring IBM Sense to communicate with QRadar................................................................ 652

IBM SmartCloud Orchestrator........................................................................................................... 652Installing IBM SmartCloud Orchestrator..................................................................................... 653IBM SmartCloud Orchestrator log source parameters................................................................653

IBM Tivoli Access Manager for e-business....................................................................................... 654Configure Tivoli Access Manager for e-business.........................................................................654Syslog log source parameters for IBM Tivoli Access Manager for e-business........................... 655

IBM Tivoli Endpoint Manager.............................................................................................................655IBM WebSphere Application Server.................................................................................................. 656

Configuring IBM WebSphere .......................................................................................................