This procedure describes how to configure an Alarm Tool policy by using a syslog
notification rule in the Log Event Extended Format (LEEF) message format.
About this task
LEEF is the preferred message format for sending notifications to Dragon Network Defense when the
notification rate is high or when IPv6 addresses are displayed. If you do not want to use syslog
notifications in LEEF format, refer to your Extreme Dragon documentation for more
information.
To configure Extreme Dragon with an Alarm Tool policy by using a syslog notification rule,
complete the following steps:
Procedure
-
Log in to the Extreme Dragon EMS.
-
Click the Alarm Tool icon.
-
Configure the Alarm Tool Policy:
In the menu tree, right-click and select Add Alarm Tool Policy.
-
In the Add Alarm Tool Policy field, type a policy name.
-
Click OK.
-
In the menu tree, select QRadar.
-
To configure the event group:
Click the Events Group tab.
-
Click New.
The Event Group Editor is displayed.
-
Select the event group or individual events to monitor.
-
Click Add.
-
Click Yes.
-
In the right column of the Event Group Editor, type
Dragon-Events.
-
Click OK.
-
Configure the Syslog notification rule:
Click the Notification Rules tab.
-
Click New.
-
In the name field, type QRadar-RuleSys.
-
Click OK.
-
In the Notification Rules pane, select the newly created QRadar-RuleSys item.
-
Click the Syslog tab.
-
Click New.
The Syslog Editor is displayed.
-
Update the following values:
- Facility - Using the Facility list, select a
facility.
- Level - Using the Level list, select
notice.
- Message - Using the Type list, select
LEEF.
LEEF:Version=1.0|Vendor|Product|ProductVersion|eventID|devTime|
proto|src|sensor|dst|srcPort|dstPort|direction|eventData|
The LEEF message format delineates between fields by using a pipe delimiter between each keyword.
-
Click OK.
-
Verify that the notification events are logged as separate events:
Click the Global Options tab.
-
Click the Main tab.
-
Make sure that Concatenate Events is not selected.
-
Configure the alarm information:
-
Click New.
-
Type values for the parameters:
- Name - Type QRadar-Alarm.
- Type - Select Real Time.
- Event Group - Select Dragon-Events.
- Notification Rule - Select the QRadar-RuleSys check box.
-
Click OK.
-
Click Commit.
-
Navigate to the Enterprise View.
-
Right-click on the Alarm Tool and select Associate Alarm Tool
Policy.
-
Select the newly created QRadar
policy. Click OK.
-
In the Enterprise menu, right-click the policy and select
Deploy.
You are now ready to configure a syslog log source in QRadar.