Configuring Aruba Introspect to communicate with QRadar

Before IBM® QRadar® can collect events from Aruba Introspect, you must configure Aruba Introspect to send events to QRadar.

Procedure

  1. Log in to the Aruba Introspect Analyzer.
  2. Configure forwarding.
    1. Click System Configuration > Syslog Destinations.
    2. Configure the following forwarding parameters:
      Table 1. Aruba Introspect Analyzer forwarding parameters
      Parameter Value
      Syslog Destination IP or host name of the QRadar Event Collector.
      Protocol TCP or UDP
      Port 514
  3. Configure notification.
    1. Click System Configuration > Security Alerts / Emails > Add New.
    2. Configure the following notification parameters:
      Table 2. Aruba Introspect Analyzer notification parameters
      Parameter Value
      Enable Alert Syslog Forwarding Enable the Enable Alert Syslog Forwarding check box.
      Sending Notification

      As Alerts are produced.

      You can customize this setting to send in batches instead of a live stream.

      TimeZone Your local time zone.
      Note: Leave Query, Severity, and Confidence values as default to send all Alerts. These values can be customized to filter out and send only a subset of Alerts to QRadar.

What to do next

To help you troubleshoot, you can look at the forwarding logs in the /var/log/notifier.log file.

When a new notification is created, as described in Step 3, alerts for the last week that match the Query, Severity, and Confidence fields are sent.