The IBM® QRadar® DSM for SIFT-IT accepts syslog events from Arpeggio SIFT-IT running on IBM i that are formatted as Log Event Extended Format (LEEF).
QRadar supports events from Arpeggio SIFT-IT 3.1 and later installed on IBM i version 5 revision 3 (V5R3) and later.
Arpeggio SIFT-IT supports syslog events from the journal QAUDJRN in LEEF format.
Jan 29 01:33:34 <Server> LEEF:1.0|Arpeggio|SIFT-IT|3.1|PW_U|sev=3 usrName=<Username> src=<Source_IP_address> srcPort=543 jJobNam=QBASE jJobUsr=<Username> jJobNum=1664 jrmtIP=<SourceIP_address> jrmtPort=543 jSeqNo=4755 jPgm=QWTMCMNL jPgmLib=QSYS jMsgId=PWU0000 jType=U jUser=ROOT jDev=QPADEV000F jMsgTxt=Invalid user id <Username>. Device <Device_ID>.
Events that SIFT-IT sends to QRadar are determined with a configuration rule set file. SIFT-IT includes a default configuration rule set file that you can edit to meet your security or auditing requirements. For more information about configuring rule set files, see your SIFT-IT User Guide.