Configuring syslog forwarding for F5 FirePass

To forward syslog events from an F5 Networks BIG-IP FirePass SSL VPN appliance to IBM QRadar, you must enable and configure a remote log server.

About this task

The remote log server can forward events directly to your QRadar Console or any Event Collector in your deployment.

Procedure

  1. Log in to the F5 Networks FirePass Admin Console.
  2. On the navigation pane, select Device Management > Maintenance > Logs.
  3. From the System Logs menu, select the Enable Remote Log Server check box.
  4. From the System Logs menu, clear the Enable Extended System Logs check box.
  5. In the Remote host parameter, type the IP address or host name of your QRadar.
  6. From the Log Level list, select Information.

    The Log Level parameter monitors application level system messages.

  7. From the Kernel Log Level list, select Information.

    The Kernel Log Level parameter monitors Linux® kernel system messages.

  8. Click Apply System Log Changes.

    The changes are applied and the configuration is complete. The log source is added to QRadar as F5 Networks FirePass events are automatically discovered. Events that are forwarded to QRadar by F5 Networks BIG-IP ASM are displayed on the Log Activity tab in QRadar.