Configuring Tivoli Access Manager for e-business

You can configure syslog on your Tivoli® Access Manager for e-business to forward events.

Procedure

  1. Log in to Tivoli Access Manager's IBM® Security Web Gateway.
  2. From the navigation menu, select Secure Reverse Proxy Settings > Manage > Reverse Proxy.

    The Reverse Proxy pane is displayed.

  3. From the Instance column, select an instance.
  4. Click the Manage list and select Configuration > Advanced.

    The text of the WebSEAL configuration file is displayed.

  5. Locate the Authorization API Logging configuration.

    The remote syslog configuration begins with logcfg.

    For example, to send authorization events to a remote syslog server:

    # logcfg = audit.azn:rsyslog server=<IP address>,port=514,log_id=<log name>

  6. Copy the remote syslog configuration (logcfg) to a new line without the comment (#) marker.
  7. Edit the remote syslog configuration.

    For example,

    logcfg = audit.azn:rsyslog server=<IP address>,port=514,log_id=<log name> logcfg = audit.authn:rsyslog server=<IP address>,port=514,log_id=<log name> logcfg = http:rsyslog server=<IP address>,port=514,log_id=<log name>

    Where:

    • <IP address> is the IP address of your QRadar Console or Event Collector.
    • <Log name> is the name assigned to the log that is forwarded to QRadar. For example, log_id=WebSEAL-log.
  8. Customize the request.log file.

    For example,

    request-log-format = isam-http-request-log|client-ip=%a|server-ip=%A|client-logname=%l|remote-user=%u|time=%t|port=%p|protocol=%H|request-method=%m|response-status=%s|url=%U|bytes=%b|remote-host=%h|request=%r
  9. Click Submit.

    The Deploy button is displayed in the navigation menu.

  10. From the navigation menu, click Deploy.
  11. Click Deploy.

    You must restart the reverse proxy instance to continue.

  12. From the Instance column, select your instance configuration.
  13. Click the Manage list and select Control > Restart.

    A status message is displayed after the restart completes. For more information on configuring a syslog destination, see your IBM Tivoli Access Manager for e-business vendor documentation. You are now ready to configure a log source in QRadar.