To collect events, you must configure a syslog server on your Trusteer Apex Local Event Aggregator to forward syslog events.
Procedure
-
Log in to the Trusteer Apex L.E.A. management console.
-
From the navigation menu, select Configuration.
-
To export the current Trusteer Apex Local Event Aggregator configuration, click Export and save the file.
-
Open the configuration file with a text editor.
-
From the
syslog.event_targets
section, add the following
information:
{
host": "<QRadar IP address>", "port": "514", "proto": "tcp"
}
-
Save the configuration file.
-
From the navigation menu, select Configuration.
-
Click Choose file and select the new configuration
file that contains the event target IP address.
-
Click Import.
As syslog events are generated by the Trusteer Apex Local Event Aggregator, they are forwarded to the target specified in the configuration file. The log source is automatically discovered after enough events are forwarded to QRadar. It typically takes a
minimum of 25 events to automatically discover a log source.
What to do next
Administrators can log in to the QRadar
Console and verify that the log source
is created. The Log Activity tab displays events from Trusteer Apex Local Event Aggregator.