Configuring Tivoli Access Manager for e-business
You can configure syslog on your Tivoli® Access Manager for e-business to forward events.
Procedure
- Log in to Tivoli Access Manager's IBM® Security Web Gateway.
-
From the navigation menu, select Secure Reverse Proxy Settings > Manage > Reverse Proxy.
The Reverse Proxy pane is displayed.
- From the Instance column, select an instance.
-
Click the Manage list and select Configuration > Advanced.
The text of the WebSEAL configuration file is displayed.
-
Locate the Authorization API Logging configuration.
The remote syslog configuration begins with logcfg.
For example, to send authorization events to a remote syslog server:
# logcfg = audit.azn:rsyslog server=<IP address>,port=514,log_id=<log name>
-
Copy the remote syslog configuration (logcfg) to a new line without the
comment (
#
) marker. -
Edit the remote syslog configuration.
For example,
logcfg = audit.azn:rsyslog server=<IP address>,port=514,log_id=<log name> logcfg = audit.authn:rsyslog server=<IP address>,port=514,log_id=<log name> logcfg = http:rsyslog server=<IP address>,port=514,log_id=<log name>
Where:
- <IP address> is the IP address of your QRadar Console or Event Collector.
- <Log name> is the name assigned to the log that is forwarded to QRadar. For example, log_id=WebSEAL-log.
- Customize the
request.log
file.For example,
request-log-format = isam-http-request-log|client-ip=%a|server-ip=%A|client-logname=%l|remote-user=%u|time=%t|port=%p|protocol=%H|request-method=%m|response-status=%s|url=%U|bytes=%b|remote-host=%h|request=%r
-
Click Submit.
The Deploy button is displayed in the navigation menu.
- From the navigation menu, click Deploy.
-
Click Deploy.
You must restart the reverse proxy instance to continue.
- From the Instance column, select your instance configuration.
-
Click the Manage list and select Control > Restart.
A status message is displayed after the restart completes. For more information on configuring a syslog destination, see your IBM Tivoli Access Manager for e-business vendor documentation. You are now ready to configure a log source in QRadar.