Observe IT JDBC

The IBM QRadar DSM for ObserveIT JDBC collects JDBC events from ObserveIT.

The following table identifies the specifications for the ObserveIT JDBC DSM:
Table 1. ObserveIT JDBC DSM specifications
Specification Value
Manufacturer ObserveIT
Product ObserveIT JDBC
DSM RPM name DSM-ObserveIT-QRadar_Version-Build_Number.noarch.rpm
Supported versions V5.7
Protocol

ObserveIT JDBC

Log File Protocol

QRadar recorded events
The following event types are supported by ObserveIT JDBC:
  • Alerts
  • User Activity
  • System Events
  • Session Activity
  • DBA Activity

The Log File Protocol supports user activity in LEEF logs.

Automatically discovered? No
Includes identity? Yes
Includes custom properties? No
More information ObserveIT website (http://www.observeit-sys.com)
To collect ObserveIT JDBC events, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent versions of the following RPMs from the IBM® Support Website onto your QRadar Console:
    • ObserveIT JDBC DSM RPM
    • DSMCommon DSM RPM
    • ObserveIT JDBC PROTOCOL RPM
    • JDBC PROTOCOL RPM
  2. Make sure that your ObserveIT system is installed and the SQL Server database is accessible over the network.
  3. For each ObserveIT server that you want to integrate, create a log source on the QRadar Console. Configure all the required parameters. Use these tables to configure ObserveIT specific parameters:
    Table 2. ObserveIT JDBC log source parameters
    Parameter Description
    Log Source type ObserveIT
    Protocol Configuration ObserveIT JDBC
    Log Source Identifier

    Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.

    If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.

    Database name ObserveIT
    IP or Hostname The IP address or host name of the ObserveIT system.
    Port The port on the ObserveIT host. The default is 1433.
    Username The user name that is required to connect to the ObserveIT MS SQL database
    Password The password that is required to connect to the ObserveIT MS SQL database.
    Start Date and Time Use the yyyy-MM-dd HH: mm format.
    Polling Interval The frequency by which to poll the database.
    EPS Throttle

    The maximum number of events per second that QRadar ingests.

    If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

    Table 3. Log file protocol parameters
    Parameter Description
    Protocol Configuration Log file
    Log Source Identifier The IP address for the log source. This value must match the value that is configured in the Remote IP or Hostname parameter. The Log Source Identifier value must be unique for the log source type.
    Service Type

    From the list, select the protocol that you want to use when retrieving log files from a remote server. The default is SFTP.

    SFTP - SSH File Transfer Protocol

    FTP - File Transfer Protocol

    SCP - Secure Copy

    The underlying protocol that retrieves log files for the SCP and SFTP service type requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled.

    Remote IP or Hostname The IP address or host name of the device that stores your event log files.
    Remote Port If the remote host uses a non-standard port number, you must adjust the port value to retrieve events.
    Remote User The user name necessary to log in to the host that contains your event files. The user name can be up to 255 characters in Length.
    Remote Password The password that is necessary to log in to the host.
    Confirm Password Confirmation of the password that is necessary to log in to the host.
    SSH Key File The path to the SSH key, if the system is configured to use key authentication. When an SSH key file is used, the Remote Password field is ignored.
    Remote Directory For FTP, if the log files are in the remote user’s home directory, you can leave the remote directory blank. A blank remote directory field supports systems where a change in the working directory (CWD) command is restricted.
    SCP Remote File If you selected SCP as the Service Type, you must type the file name of the remote file.
    Recursive This option is ignored for SCP file transfers.
    FTP File Pattern The regular expression (regex) required to identify the files to download from the remote host.
    FTP Transfer Mode For ASCII transfers over FTP, you must select NONE in the Processor field and LINEBYLINE in the Event Generator field.
    Start Time The time of day when you want the processing to begin. For example, type 12:00 AM to schedule the log file protocol to collect event files at midnight. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 12-hour clock, in the following format: HH:MM <AM/PM>.
    Recurrence The time interval to determine how frequently the remote directory is scanned for new event log files. The time interval can include values in hours (H), minutes (M), or days (D). For example, a recurrence of 2H scans the remote directory every 2 hours.
    Run On Save Starts the log file import immediately after you save the log source configuration. When selected, this check box clears the list of previously downloaded and processed files. After the first file import, the log file protocol follows the start time and recurrence schedule that is defined by the administrator.
    EPS Throttle

    The maximum number of events per second that QRadar ingests.

    If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

    Processor Processors allow QRadar to expand event file archives, and to process contents for events. QRadar processes files only after they are downloaded. QRadar can process files in zip, gzip, tar, or tar+gzip archive format.
    Ignore Previously Processed File(s) Tracks and ignores files that were processed by the log file protocol. QRadar examines the log files in the remote directory to determine whether a file was processed previously by the log file protocol. If a previously processed file is detected, the log file protocol does not download the file for processing. All files that were not processed previously are downloaded. This option applies only to FTP and SFTP Service Types.
    Change Local Directory? Changes the local directory on the Target Event Collector to store event logs before they are processed.
    Local Directory The local directory on the Target Event Collector. The directory must exist before the log file protocol attempts to retrieve events.
    File Encoding The character encoding that is used by the events in your log file.
    Folder Separator The character that is used to separate folders for your operating system. Most configurations can use the default value in Folder Separator field. This field is intended for operating systems that use a different character to define separate folders. For example, periods that separate folders on mainframe systems.