Netgate pfSense

The IBM® QRadar® DSM for Netgate pfSense collects syslog events from a pfSense device.

To integrate Netgate pfSense with QRadar, complete the following steps:
  1. If automatic updates are not enabled, RPMs are available for download from the IBM support website (http://www.ibm.com/support). Download and install the most recent version of the following RPMs on your QRadar Console:
    • DSM Common RPM
    • Netgate pfSense DSM RPM
    • Linux® DHCP DSM RPM (only if DHCP event logging is enabled)
    • Sourcefire Snort DSM RPM (only if the Snort package for Netgate pfSense is installed and event logging is enabled)

      Suricata events are not officially supported by the Sourcefire Snort DSM. However, they might be parsed by the Snort DSM.

  2. Configure your Netgate pfSense device to send events to QRadar. For more information, see Configuring Netgate pfSense to communicate with QRadar.

    If you send Snort or Suricata events to QRadar, and the log source is not automatically detected, add a Snort log source on the QRadar Console For more information, see Syslog log source parameters for Open Source SNORT.

  3. If QRadar does not automatically detect the log source, add a Netgate pfSense Syslog log source on the QRadar Console. For more information, see Syslog log source parameters for Netgate pfSense.

    If you send Snort or Suricata events to QRadar and QRadar does not automatically detect the log source, add a Snort log source on the QRadar Console For more information, see Syslog log source parameters for Open Source SNORT.