Configuring policies to generate syslog events

Policies in IBM® Guardium® are responsible for reacting to events and forwarding the event information to IBM QRadar.

Procedure

  1. Click the Tools tab.
  2. From the left navigation, select Policy Builder.
  3. From the Policy Finder pane, select an existing policy and click Edit Rules.
  4. Click Edit this Rule individually.

    The Access Rule Definition is displayed.

  5. Click Add Action.
  6. From the Action list, select one of the following alert types:
    • Alert Per Match - A notification is provided for every policy violation.
    • Alert Daily - A notification is provided the first time a policy violation occurs that day.
    • Alert Once Per Session - A notification is provided per policy violation for unique session.
    • Alert Per Time Granularity - A notification is provided per your selected time frame.
  7. From the Message Template list, select QRadar.
  8. From Notification Type, select SYSLOG.
  9. Click Add, then click Apply.
  10. Click Save.
  11. Repeat Configuring policies to generate syslog events for all rules within the policy that you want to forward to QRadar.

    For more information on configuring a policy, see your IBM InfoSphere® Guardium vendor documentation. After you have configured all of your policies, you are now ready to install the policy on your IBM Guardium system.

    Note: Due to the configurable policies, QRadar can only automatically discover the default policy events. If you have customized policies that forward events to QRadar, you must manually create a log source to capture those events.