Configuring agileSI to forward events

To configure agileSI, you must create a logical file name for your events and configure the connector settings with the path to your agileSI event log.

About this task

The location of the LEEF formatted event file must be in a location viewable by Samba and accessible with the credentials you configure for the log source in IBM QRadar.

Procedure

  1. In agileSI core system installation, define a logical file name for the output file that contains your SAP security events.

    SAP provides a concept that gives you the option to use platform-independent logical file names in your application programs. Create a logical file name and path by using transaction "FILE" (Logical File Path Definition) according to your organization's requirements.

  2. Log in to agileSI.

    For example, http://<sap-system-url:port>/sap/bc/webdynpro/itcube/ ccf?sap-client=<client>&sap-language=EN

    Where:

    • <sap-system-url> is the IP address and port number of your SAP system, such as <IP_address>:50041.
    • <client> is the agent in your agileSI deployment.
  3. From the menu, click Display/Change to enable change mode for agileSI.
  4. From the toolbar, select Tools > Core Consumer Connector Settings.

    The Core Consumer Connector Settings are displayed.

  5. Configure the following values:

    From the Consumer Connector list, select Q1 Labs.

  6. Select the Active check box.
  7. From the Connector Type list, select File.
  8. From the Logical File Name field, type the path to your logical file name you configured in Configuring agileSI to forward events.

    For example, /ITCUBE/LOG_FILES.

    The file that is created for the agileSI events is labeled LEEFYYYYDDMM.TXT where YYYYDDMM is the year, day, and month. The event file for the current day is appended with new events every time the extractor runs. iT-CUBE agileSI creates a new LEEF file for SAP events daily.

  9. Click Save.

    The configuration for your connector is saved. Before you can complete the agileSI configuration, you must deploy the changes for agileSI by using extractors.

  10. From the toolbar, select Tools > Extractor Management.

    The Extractor Management settings are displayed.

  11. Click Deploy all.

    The configuration for agileSI events is complete. You are now ready to configure a log source in QRadar.