Universal LEEF

The Universal LEEF DSM for IBM® QRadar® collects events from devices that produce events that use the Log Event Extended Format (LEEF).

The LEEF event format is a proprietary event format, which allows hardware manufacturers and software product manufacturers to read and map device events specifically designed for QRadar integration.

LEEF formatted events sent to QRadar outside of the partnership program require you to have installed the Universal LEEF DSM and manually identify each event forwarded to QRadar by mapping unknown events. The Universal LEEF DSM can parse events forwarded from syslog or files containing events in the LEEF format polled from a device or directory using the Log File protocol.

To configure events in QRadar using Universal LEEF, you must:

  1. Configure a Universal LEEF log source in QRadar.
  2. Send LEEF formatted events from your device to QRadar. For more information on forwarding events, see your vendor documentation.
  3. Map unknown events to QRadar Identifiers (QIDs).