Observe IT JDBC
The IBM QRadar DSM for ObserveIT JDBC collects JDBC events from ObserveIT.
Specification | Value |
---|---|
Manufacturer | ObserveIT |
Product | ObserveIT JDBC |
DSM RPM name | DSM-ObserveIT-QRadar_Version-Build_Number.noarch.rpm |
Supported versions | V5.7 |
Protocol | ObserveIT JDBC Log File Protocol |
QRadar recorded events | The following event types are supported by ObserveIT JDBC:
The Log File Protocol supports user activity in LEEF logs. |
Automatically discovered? | No |
Includes identity? | Yes |
Includes custom properties? | No |
More information | ObserveIT website (http://www.observeit-sys.com) |
- If automatic updates are not enabled, download and install the most recent versions of the
following RPMs from the IBM® Support Website onto your QRadar
Console:
- ObserveIT JDBC DSM RPM
- DSMCommon DSM RPM
- ObserveIT JDBC PROTOCOL RPM
- JDBC PROTOCOL RPM
- Make sure that your ObserveIT system is installed and the SQL Server database is accessible over the network.
- For each ObserveIT server that you want to integrate, create a
log source on the QRadar
Console.
Configure all the required parameters. Use these tables to configure
ObserveIT specific parameters:
Table 2. ObserveIT JDBC log source parameters Parameter Description Log Source type ObserveIT Protocol Configuration ObserveIT JDBC Log Source Identifier Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.
If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.
Database name ObserveIT IP or Hostname The IP address or host name of the ObserveIT system. Port The port on the ObserveIT host. The default is 1433. Username The user name that is required to connect to the ObserveIT MS SQL database Password The password that is required to connect to the ObserveIT MS SQL database. Start Date and Time Use the yyyy-MM-dd HH: mm format. Polling Interval The frequency by which to poll the database. EPS Throttle The maximum number of events per second that QRadar ingests.
If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.
Table 3. Log file protocol parameters Parameter Description Protocol Configuration Log file Log Source Identifier The IP address for the log source. This value must match the value that is configured in the Remote IP or Hostname parameter. The Log Source Identifier value must be unique for the log source type. Service Type From the list, select the protocol that you want to use when retrieving log files from a remote server. The default is SFTP.
SFTP - SSH File Transfer Protocol
FTP - File Transfer Protocol
SCP - Secure Copy
The underlying protocol that retrieves log files for the SCP and SFTP service type requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled.
Remote IP or Hostname The IP address or host name of the device that stores your event log files. Remote Port If the remote host uses a non-standard port number, you must adjust the port value to retrieve events. Remote User The user name necessary to log in to the host that contains your event files. The user name can be up to 255 characters in Length. Remote Password The password that is necessary to log in to the host. Confirm Password Confirmation of the password that is necessary to log in to the host. SSH Key File The path to the SSH key, if the system is configured to use key authentication. When an SSH key file is used, the Remote Password field is ignored. Remote Directory For FTP, if the log files are in the remote user’s home directory, you can leave the remote directory blank. A blank remote directory field supports systems where a change in the working directory (CWD) command is restricted. SCP Remote File If you selected SCP as the Service Type, you must type the file name of the remote file. Recursive This option is ignored for SCP file transfers. FTP File Pattern The regular expression (regex) required to identify the files to download from the remote host. FTP Transfer Mode For ASCII transfers over FTP, you must select NONE in the Processor field and LINEBYLINE in the Event Generator field. Start Time The time of day when you want the processing to begin. For example, type 12:00 AM to schedule the log file protocol to collect event files at midnight. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 12-hour clock, in the following format: HH:MM <AM/PM>. Recurrence The time interval to determine how frequently the remote directory is scanned for new event log files. The time interval can include values in hours (H), minutes (M), or days (D). For example, a recurrence of 2H scans the remote directory every 2 hours. Run On Save Starts the log file import immediately after you save the log source configuration. When selected, this check box clears the list of previously downloaded and processed files. After the first file import, the log file protocol follows the start time and recurrence schedule that is defined by the administrator. EPS Throttle The maximum number of events per second that QRadar ingests.
If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.
Processor Processors allow QRadar to expand event file archives, and to process contents for events. QRadar processes files only after they are downloaded. QRadar can process files in zip, gzip, tar, or tar+gzip archive format. Ignore Previously Processed File(s) Tracks and ignores files that were processed by the log file protocol. QRadar examines the log files in the remote directory to determine whether a file was processed previously by the log file protocol. If a previously processed file is detected, the log file protocol does not download the file for processing. All files that were not processed previously are downloaded. This option applies only to FTP and SFTP Service Types. Change Local Directory? Changes the local directory on the Target Event Collector to store event logs before they are processed. Local Directory The local directory on the Target Event Collector. The directory must exist before the log file protocol attempts to retrieve events. File Encoding The character encoding that is used by the events in your log file. Folder Separator The character that is used to separate folders for your operating system. Most configurations can use the default value in Folder Separator field. This field is intended for operating systems that use a different character to define separate folders. For example, periods that separate folders on mainframe systems.