Creating a Policy for Syslog

This procedure describes how to configure an Alarm Tool policy by using a syslog notification rule in the Log Event Extended Format (LEEF) message format.

About this task

LEEF is the preferred message format for sending notifications to Dragon Network Defense when the notification rate is high or when IPv6 addresses are displayed. If you do not want to use syslog notifications in LEEF format, refer to your Extreme Dragon documentation for more information.

To configure Extreme Dragon with an Alarm Tool policy by using a syslog notification rule, complete the following steps:

Procedure

  1. Log in to the Extreme Dragon EMS.
  2. Click the Alarm Tool icon.
  3. Configure the Alarm Tool Policy:

    In the Alarm Tool Policy View > Custom Policies menu tree, right-click and select Add Alarm Tool Policy.

  4. In the Add Alarm Tool Policy field, type a policy name.

    For example:

    QRadar

  5. Click OK.
  6. In the menu tree, select QRadar.
  7. To configure the event group:

    Click the Events Group tab.

  8. Click New.

    The Event Group Editor is displayed.

  9. Select the event group or individual events to monitor.
  10. Click Add.

    A prompt is displayed.

  11. Click Yes.
  12. In the right column of the Event Group Editor, type Dragon-Events.
  13. Click OK.
  14. Configure the Syslog notification rule:

    Click the Notification Rules tab.

  15. Click New.
  16. In the name field, type QRadar-RuleSys.
  17. Click OK.
  18. In the Notification Rules pane, select the newly created QRadar-RuleSys item.
  19. Click the Syslog tab.
  20. Click New.

    The Syslog Editor is displayed.

  21. Update the following values:
    • Facility - Using the Facility list, select a facility.
    • Level - Using the Level list, select notice.
    • Message - Using the Type list, select LEEF.
    LEEF:Version=1.0|Vendor|Product|ProductVersion|eventID|devTime| 
    proto|src|sensor|dst|srcPort|dstPort|direction|eventData|
    The LEEF message format delineates between fields by using a pipe delimiter between each keyword.
  22. Click OK.
  23. Verify that the notification events are logged as separate events:

    Click the Global Options tab.

  24. Click the Main tab.
  25. Make sure that Concatenate Events is not selected.
  26. Configure the alarm information:

    Click the Alarms tab.

  27. Click New.
  28. Type values for the parameters:
    • Name - Type QRadar-Alarm.
    • Type - Select Real Time.
    • Event Group - Select Dragon-Events.
    • Notification Rule - Select the QRadar-RuleSys check box.
  29. Click OK.
  30. Click Commit.
  31. Navigate to the Enterprise View.
  32. Right-click on the Alarm Tool and select Associate Alarm Tool Policy.
  33. Select the newly created QRadar policy. Click OK.
  34. In the Enterprise menu, right-click the policy and select Deploy.

    You are now ready to configure a syslog log source in QRadar.