Configuring Townsend Security Alliance LogAgent to integrate with QRadar

You can collect all audit logs and system events from Townsend Security Alliance LogAgent. You must configure Alliance LogAgent for the IBM QRadar LEEF and configure a destination that specifies QRadar as the syslog server.

Procedure

  1. Log in to your Townsend Security Alliance LogAgent appliance.
  2. Add the ALLSYL100 to your library list by typing the following command: addlible allsy1100.
  3. To display the main menu select go symain.
  4. Select the option for Configuration
  5. Select Configure Alliance LogAgent and configure the following parameters.
    Parameter Description
    Interface version 4=IBM QRadar® LEEF
    Transmit 1=Yes
    Data queue control 1=Yes
    Format 4=IBM QRadar LEEF
  6. From the configuration menu, select Work With TCP Clients.
  7. Select option 2 to change the SYSLOGD client and configure the following parameters.
    Parameter Description
    Status 1=Active
    Autostart client 1=Yes
    Remote IP address IP address of QRadar
    Remote port number 514
  8. From the Configuration menu, select Start LogAgent Subsystem. Events flow to QRadar.

What to do next

After TCP services start, consider automatically starting the Alliance LogAgent subsystem by modifying your IPL QSTRUP program to include the following statements:
/* START ALLIANCE LOGAGENT */
QSYS/STRSBS ALLSYL100/ALLSYL100
MONMSG MSGID(CPF0000)

For more information about installing and configuring for Independent Auxiliary Storage Pool operation, and more filter options for events, see your vendor documentation.