Configuring syslog for Trusteer Apex Local Event Aggregator

To collect events, you must configure a syslog server on your Trusteer Apex Local Event Aggregator to forward syslog events.

Procedure

  1. Log in to the Trusteer Apex L.E.A. management console.
  2. From the navigation menu, select Configuration.
  3. To export the current Trusteer Apex Local Event Aggregator configuration, click Export and save the file.
  4. Open the configuration file with a text editor.
  5. From the syslog.event_targets section, add the following information:

    {

    host": "<QRadar IP address>", "port": "514", "proto": "tcp"

    }

  6. Save the configuration file.
  7. From the navigation menu, select Configuration.
  8. Click Choose file and select the new configuration file that contains the event target IP address.
  9. Click Import.

    As syslog events are generated by the Trusteer Apex Local Event Aggregator, they are forwarded to the target specified in the configuration file. The log source is automatically discovered after enough events are forwarded to QRadar. It typically takes a minimum of 25 events to automatically discover a log source.

What to do next

Administrators can log in to the QRadar Console and verify that the log source is created. The Log Activity tab displays events from Trusteer Apex Local Event Aggregator.