Centrify Infrastructure Services

The IBM® QRadar® DSM for Centrify Infrastructure Services collects events from Centrify Infrastructure Services standard logs.

The following table describes the specifications for the Centrify Infrastructure Services DSM:
Table 1. Centrify Infrastructure Services DSM specifications
Specification Value
Manufacturer Centrify
DSM name Centrify Infrastructure Services
RPM file name DSM-CentrifyInfrastructureServices- QRadar_version-build_number.noarch.rpm
Supported versions Centrify Infrastructure Services 2017
Protocol Syslog, TLS Syslog and WinCollect
Event format name-value pair (NVP)
Recorded event types Audit Events
Automatically discovered? Yes
Includes identity? No
Includes custom properties? No
More information Centrify website (https://www.centrify.com/support/documentation/server-suite/)
To integrate Centrify Infrastructure Services with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of Centrify Infrastructure Services DSM RPM on your QRadar Console.
    Note: If you use the WinCollect protocol configuration option, install the latest WinCollect agent bundle (.sfs file) on your QRadar Console.
  2. To send syslog or Windows events to QRadar, configure your UNIX, Linux®, or Windows device where the Centrify Infrastructure Services standard logs are available.
  3. If QRadar does not automatically detect the log source, add a Centrify Infrastructure Services log source on the QRadar Console.

    The following table describes the parameters that require specific values to collect events from Centrify Infrastructure Services:

    Table 2. Centrify Infrastructure Services log source parameters
    Parameter Value
    Log Source type Centrify Infrastructure Services
    Protocol Configuration Syslog
    Log Source Identifier The IP address or host name of the UNIX, Linux, or Windows device that sends Centrify Infrastructure Services events to QRadar.
  4. Optional: To add a Centrify Infrastructure Services log source to receive Syslog events from network devices that support TLS Syslog event forwarding, configure the log source on the QRadar Console to use the TLS Syslog protocol.
    Table 3. Centrify Infrastructure Services TLS Syslog log source parameters
    Parameter Value
    Log Source type Centrify Infrastructure Services
    Protocol Configuration TLS Syslog
    Log Source Identifier Type a unique identifier for the log source.
    TLS Protocols Select the version of TLS that is installed on the client.
    Note: To receive encrypted Syslog events from up to 50 network devices that support TLS Syslog event forwarding, configure a log source to use the TLS Syslog protocol.