Configuring a Cisco IronPort and Cisco ESA log source by using the log file protocol

You can configure a log source on the QRadar Console so that Cisco IronPort and Cisco Email Security Appliance (ESA) can communicate with QRadar by using the log file protocol.

Procedure

Configure a Cisco IronPort log source on the QRadar Console by using the log file protocol. The following tables describe the Log File log source parameters that require specific values for retrieving logs from Cisco IronPort and Cisco ESA.
Table 1. Cisco IronPort log source parameters for Log File
Parameter Value
Log Source type Cisco IronPort
Protocol Configuration Log File Protocol
Log Source Identifier The Log Source Identifier can be any valid value, including the same value as the Log Source Name parameter, and doesn't need to reference a specific server.
Service Type

From the list, select the protocol that you want to use when retrieving log files from a remote server. The default is SFTP.

The underlying protocol that is used to retrieve log files for the SCP and SFTP service type requires that the server that is specified in the Remote IP or Hostname field has the SFTP subsystem enabled.

Remote IP or Hostname Type the IP address or host name of the device that contains the event log files.
Remote Port

Type the port that is used to communicate with the remote host. The valid range is 1 - 65535. The options include:

  • FTP - TCP Port 21
  • SFTP - TCP Port 22
  • SCP - TCP Port 22
If the host for your event files is using a non-standard port number for FTP, SFTP, or SCP, you must adjust the port value.
Remote User Type the user name necessary to log in to the host that contains the event files.
Remote Password Type the password necessary to log in to the host.
Confirm Password Confirm the password necessary to log in to the host.
SSH Key File

If the system is configured to use key authentication, type the path to the SSH key.

When an SSH key file is used, the Remote Password field is ignored.

Remote Directory

Type the directory location on the remote host from which the files are retrieved. The directory path is relative to the user account that is used to log in.

Note:

For FTP only. If the log files are in the remote user’s home directory, you can leave the remote directory blank. A blank remote directory field supports systems where a change in the working directory (CWD) command is restricted.

Recursive

Select this check box to enable the file pattern to search sub folders. By default, the check box is clear.

This option is ignored for SCP file transfers.

FTP File Pattern Must use a regular expression that matches the log files that are generated.

The FTP file pattern that you specify must match the name that you assigned to your event files. For example, to collect files that end with .log, type the following command: .*\.log.

For more information, see the Oracle Java documentation (http://docs.oracle.com/javase/tutorial/essential/regex/).

Start Time

Type the time of day for the log source to start the file import.

This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files.

Recurrence

Type a time interval to determine how frequently the remote directory is scanned for new event log files. The minimum value is 15 minutes.

The time interval can include values in hours (H), minutes (M), or days (D). For example, a recurrence of 2H scans the remote directory every 2 hours.

Run On Save

Select this check box to start the log file import immediately after the administrator saves the log source.

After the first file import, the log file protocol follows the start time and recurrence schedule that is defined by the administrator.

When selected, this check box clears the list of previously downloaded and processed files.

EPS Throttle

The maximum number of events per second that QRadar ingests.

If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

The valid range is 100 to 5000.

Processor

From the list, select gzip.

Ignore Previously Processed File(s)

Select this check box to track files that were processed by the log file protocol. QRadar examines the log files in the remote directory to determine if a file was previously processed by the log file protocol. If a previously processed file is detected, the log file protocol does not download the file for processing. All files that weren't previously processed are downloaded.

This option only applies to FTP and SFTP Service Types.

Change Local Directory?

Select this check box to define the local directory on the QRadar Console for storing downloaded files during processing.

Administrators can leave this check box clear for more configurations. When this check box is selected, the Local Directory field is displayed so that you can configure the local directory to use for storing files.

Event Generator W3C. The Event Generator uses W3C to process the web content filter log files.
File Encoding From the list box, select the character encoding that is used by the events in your log file.
Folder Separator

Type the character that is used to separate folders for your operating system. The default value is /.

Most configurations can use the default value in Folder Separator field.

This field is intended for operating systems that use a different character to define separate folders. For example, periods that separate folders on mainframe systems.