Configuring the event log alert object

Create log alert objects to add a record to the event log file when a rule is triggered or when a system event occurs.

About this task

The event log file is a single, read-only file. You can edit the existing event log alert object, but you cannot create a new one.

Navigating in the Local Management Interface: Use one of the following paths to navigate to the policy or page where you want to create a response object:
  • Secure > Network Access Policy
  • Secure > Advanced Threat Policy
  • Manage > Management Access Policy
  • Manage > System Alerts
Navigating in the SiteProtector™ System: Select the Policy view. In the My Sites pane, expand the Locally Configured Agents menu item, and then select your Network Security agent. In the Local Policies pane, select one of the following options:
  • Network Access Policy
  • Advanced Threat Policy
  • Management Access Policy
  • System Alerts

Procedure

  1. From one of the following locations, begin editing the Event Log alert object:
    Location Action
    Network Access Policy or Management Access Policy In the Network Objects pane, expand Response > Alert > Log, select the Event Log, and then click Edit.
    Advanced Threat Policy In the ATP Objects pane, expand Alert > Log, select the Event Log, and then click Edit.
    System Alerts In the Added Objects or Available Objects pane, select the Event Log and then click Edit.
  2. In the Edit Event Log Object window, type a percentage of the total event storage limit to use for each of the following fields:
    Note: The sum of the values in these fields must equal 100%.
    • System Events Allocation
    • NAP Events Allocation
    • IPS Events Allocation
    • Advanced Threat Events Allocation
    • Management Access Event Allocation
    Note: When the allocated portion of the log is full, the appliance overwrites older event data with new event data.
  3. Type a comment, and then click Submit.

What to do next

After you configure an event log alert object, complete one of the following actions so that the appliance initiates the response when specified events occur:
  • Add the object to one or more rules in a policy
  • Add the object to the Added Objects pane on the System Alerts page
Note: After you create or edit alert objects that are used by a rule in a policy, you must deploy the updated policy for the changes to take effect.
Parent topic: Response objects
Related tasks:
Opening an IBM QRadar Network Security policy in the SiteProtector System