To collect events in a format that is compatible with IBM
QRadar, you must configure your
Lexicon mesh service to generate syslog events in LEEF.
Procedure
-
Log in to the Honeycomb LexCollect system that is configured as the dbContact system in your
network deployment.
-
Locate the Honeycomb installation directory for the installImage
directory.
For example, c:\Program Files\Honeycomb\installImage\data.
-
Open the mesh.properties file.
If your deployment does not contain Honeycomb LexCollect, you can edit
mesh.properties manually.
For example, c:\Program Files\mesh
-
To export syslog events in LEEF, edit the formatter field.
For example, formatter=leef
.
-
Save your changes.
The mesh service is configured to output LEEF events. For information about the Lexicon mesh
service, see your Honeycomb documentation.