Configuring the Lexicon mesh service

To collect events in a format that is compatible with IBM QRadar, you must configure your Lexicon mesh service to generate syslog events in LEEF.

Procedure

  1. Log in to the Honeycomb LexCollect system that is configured as the dbContact system in your network deployment.
  2. Locate the Honeycomb installation directory for the installImage directory.

    For example, c:\Program Files\Honeycomb\installImage\data.

  3. Open the mesh.properties file.

    If your deployment does not contain Honeycomb LexCollect, you can edit mesh.properties manually.

    For example, c:\Program Files\mesh

  4. To export syslog events in LEEF, edit the formatter field.

    For example, formatter=leef.

  5. Save your changes.

    The mesh service is configured to output LEEF events. For information about the Lexicon mesh service, see your Honeycomb documentation.