OPSEC/LEA protocol configuration options
To receive events on port 18184, configure a log source to use the OPSEC/LEA protocol.
The OPSEC/LEA protocol is an outbound/active protocol.
| Parameter | Description |
|---|---|
| Protocol Configuration | OPSEC/LEA |
| Log Source Identifier |
The IP address, host name, or any name to identify the device. Must be unique for the log source type. |
| Server IP | Type the IP address of the server. |
| Server Port | The port number that is used for OPSEC communication. The valid range is 0 - 65,536 and the default is 18184. |
| Use Server IP for Log Source | Select the Use Server IP for Log Source check box if you want to use the LEA server IP address instead of the managed device IP address for a log source. By default, the check box is selected. |
| Statistics Report Interval | The interval, in seconds, during which the number of syslog events are recorded in the qradar.log file. The valid range is 4 - 2,147,483,648 and the default interval is 600. |
| Authentication Type | From the list, select the Authentication Type that you want to use for this LEA configuration. The options are sslca (default), sslca_clear, or clear. This value must match the authentication method that is used by the server. |
| OPSEC Application Object SIC Attribute (SIC Name) | The Secure Internal Communications (SIC) name is the distinguished name (DN) of the application; for example: CN=LEA, o=fwconsole..7psasx. |
| Log Source SIC Attribute (Entity SIC Name) | The SIC name of the server, for example: cn=cp_mgmt,o=fwconsole..7psasx. |
| Specify Certificate | Select this check box if you want to define a certificate for this LEA configuration. QRadar® attempts to retrieve the certificate by using these parameters when the certificate is needed. |
| Certificate Filename | This option appears only if Specify Certificate is selected. Type the file name of the certificate that you want to use for this configuration. The certificate file must be located in the /opt/qradar/conf/ trusted_certificates/lea directory. |
| Certificate Authority IP | Type the Check Point Manager Server IP address. |
| Pull Certificate Password | Type the activation key password. |
| OPSEC Application | The name of the application that makes the certificate request. |
| Enabled | Select this check box to enable the log source. By default, the check box is selected. |
| Credibility |
From the list, select the Credibility of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5. |
| Target Event Collector | From the list, select the Target Event Collector to use as the target for the log source. |
| Coalescing Events |
Select the Coalescing Events check box to enable the log source to coalesce (bundle) events. By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in QRadar. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source. |
| Store Event Payload |
Select the Store Event Payload check box to enable the log source to store event payload information. By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in QRadar. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source. |
- Clear the Specify Certificate check box.
- Reenter the password for Pull Certificate Password.