Configuring policies to generate syslog events
Policies in IBM® Guardium® are responsible for reacting to events and forwarding the event information to IBM QRadar.
Procedure
- Click the Tools tab.
- From the left navigation, select Policy Builder.
- From the Policy Finder pane, select an existing policy and click Edit Rules.
-
Click Edit this Rule individually.
The Access Rule Definition is displayed.
- Click Add Action.
-
From the Action list, select one of the following alert types:
- Alert Per Match - A notification is provided for every policy violation.
- Alert Daily - A notification is provided the first time a policy violation occurs that day.
- Alert Once Per Session - A notification is provided per policy violation for unique session.
- Alert Per Time Granularity - A notification is provided per your selected time frame.
- From the Message Template list, select QRadar.
- From Notification Type, select SYSLOG.
- Click Add, then click Apply.
- Click Save.
-
Repeat Configuring policies to generate syslog events for all rules
within the policy that you want to forward to QRadar.
For more information on configuring a policy, see your IBM InfoSphere® Guardium vendor documentation. After you have configured all of your policies, you are now ready to install the policy on your IBM Guardium system.
Note: Due to the configurable policies, QRadar can only automatically discover the default policy events. If you have customized policies that forward events to QRadar, you must manually create a log source to capture those events.