Forcepoint Stonesoft Management Center
The IBM QRadar DSM for Forcepoint Stonesoft Management Center collects events from a StoneGate device by using syslog.
The following table describes the specifications for the Stonesoft Management Center DSM:
Specification | Value |
---|---|
Manufacturer | FORCEPOINT |
DSM name | Stonesoft Management Center |
RPM file name | DSM-StonesoftManagementCenter-QRadar_version-build_number.noarch.rpm |
Supported versions | 5.4 to 6.1 |
Protocol | Syslog |
Event format | LEEF |
Recorded event types | Management Center, IPS, Firewall, and VPN events |
Automatically discovered? | Yes |
Includes identity? | No |
Includes custom properties? | No |
More information | FORCEPOINT website (https://www.forcepoint.com) |
To integrate FORCEPOINT Stonesoft Management Center with QRadar, complete the following steps:
- If automatic updates are not enabled, download and install the most recent version of the
following RPMs from the IBM® Support Website onto your QRadar
Console:
- DSMCommon RPM
- Stonesoft Management Center DSM RPM
- Configure your StoneGate device to send syslog events to QRadar.
- If QRadar does not
automatically detect the log source, add a Stonesoft Management Center log source on the QRadar
Console. The following table describes
the parameters that require specific values to collect events from Stonesoft Management
Center:
Table 2. Stonesoft Management Center log source parameters Parameter Value Log Source type Stonesoft Management Center Protocol Configuration Syslog Log Source Identifier Type a unique name for the log source. - Verify that QRadar is
configured correctly.The following table shows a sample normalized event message from Stonesoft Management Center:
Table 3. Stonesoft Management Center sample message Event name Low level category Sample log message Generic_UDP-Rugged-Director-Denial-Of-Service Misc DoS LEEF:1.0|FORCEPOINT|IPS|5.8.5|Generic_UDP-Rugged-Director-Denial-Of-Service|devTimeFormat=MMM dd yyyy HH:mm:ss srcMAC=00:00:00:00:00:00 sev=2 dstMAC=00:00:00:00:00:00 devTime=Feb 23 201710:13:58 proto=17 dstPort=00000 srcPort=00000 dst=127.0.0.1 src=127.0.0.1action=Permit logicalInterface=NY2-1302-DMZ_IPS_ASA_Primary sender="username" Sensor