Centrify Infrastructure Services
The IBM® QRadar® DSM for Centrify Infrastructure Services collects events from Centrify Infrastructure Services standard logs.
The following table describes the specifications for the Centrify Infrastructure Services
DSM:
Specification | Value |
---|---|
Manufacturer | Centrify |
DSM name | Centrify Infrastructure Services |
RPM file name | DSM-CentrifyInfrastructureServices- QRadar_version-build_number.noarch.rpm |
Supported versions | Centrify Infrastructure Services 2017 |
Protocol | Syslog, TLS Syslog and WinCollect |
Event format | name-value pair (NVP) |
Recorded event types | Audit Events |
Automatically discovered? | Yes |
Includes identity? | No |
Includes custom properties? | No |
More information | Centrify website (https://www.centrify.com/support/documentation/server-suite/) |
To integrate Centrify Infrastructure Services with QRadar, complete the following steps:
- If automatic updates are not enabled, download and install the most recent version of Centrify
Infrastructure Services DSM RPM on your QRadar
Console.Note: If you use the WinCollect protocol configuration option, install the latest WinCollect agent bundle (.sfs file) on your QRadar Console.
- To send syslog or Windows events to QRadar, configure your UNIX, Linux®, or Windows device where the Centrify Infrastructure Services standard logs are available.
- If QRadar does not
automatically detect the log source, add a Centrify Infrastructure Services log source on the QRadar
Console.
The following table describes the parameters that require specific values to collect events from Centrify Infrastructure Services:
Table 2. Centrify Infrastructure Services log source parameters Parameter Value Log Source type Centrify Infrastructure Services Protocol Configuration Syslog Log Source Identifier The IP address or host name of the UNIX, Linux, or Windows device that sends Centrify Infrastructure Services events to QRadar. - Optional: To add a Centrify Infrastructure Services log source to receive Syslog events from
network devices that support TLS Syslog event forwarding, configure the log source on the QRadar
Console to use the TLS Syslog
protocol.
Table 3. Centrify Infrastructure Services TLS Syslog log source parameters Parameter Value Log Source type Centrify Infrastructure Services Protocol Configuration TLS Syslog Log Source Identifier Type a unique identifier for the log source. TLS Protocols Select the version of TLS that is installed on the client. Note: To receive encrypted Syslog events from up to 50 network devices that support TLS Syslog event forwarding, configure a log source to use the TLS Syslog protocol.