Event type format

The LEEF format consists of a pipe ( | ) delimited syslog header and a space delimited event payload.

For example:

Aug 10 14:55:30 <Server> LEEF:1.0|BCN|Adonis|6.7.1|DNS_Query|cat=A_record src=<Source_IP_address> url=test.example.com

If the syslog events forwarded from your BlueCat Adonis appliances are not formatted similarly to the sample above, you must examine your device configuration. Properly formatted LEEF event messages are automatically discovered by the BlueCat Networks Adonis DSM and added as a log source to IBM QRadar.

Before you begin

BlueCat Adonis must be configured to generate events in Log Event Extended Format (LEEF) and to redirect the event output to QRadar using syslog.

BlueCat Networks provides a script on their appliances to assist you with configuring syslog. To complete the syslog redirection, you must have administrative or root access to the command line interface of the BlueCat Adonis or your BlueCat Proteus appliance. If the syslog configuration script is not present on your appliance, contact your BlueCat Networks representative.