Configuring a SIFT-IT agent

Arpeggio SIFT-IT can forward syslog events in LEEF format with SIFT-IT agents.

About this task

A SIFT-IT agent configuration defines the location of your IBM QRadar installation, the protocol and formatting of the event message, and the configuration rule set.

Procedure

  1. Log in to your IBM i.
  2. Type the following command and press Enter to add SIFT-IT to your library list:

    ADDLIBLE SIFTITLIB0

  3. Type the following command and press Enter to access the SIFT-IT main menu:

    GO SIFTIT

  4. From the main menu, select 1. Work with SIFT-IT Agent Definitions.
  5. Type 1 to add an agent definition for QRadar and press Enter.
  6. In the SIFT-IT Agent Name field, type a name.

    For example, QRadar.

  7. In the Description field, type a description for the agent.

    For example, Arpeggio agent for QRadar.

  8. In the Server host name or IP address field, type the location of your QRadar Console or Event Collector.
  9. In the Connection type field, type either *TCP, *UDP, or *SECURE.

    The *SECURE option requires the TLS protocol.

  10. In the Remote port number field, type 514.

    By default, QRadar supports both TCP and UDP syslog messages on port 514.

  11. In the Message format options field, type *QRadar.
  12. Optional: Configure any additional parameters for attributes that are not QRadar specific.

    The additional operational parameters are described in the SIFT-IT User Guide.

  13. Press F3 to exit to the Work with SIFT-IT Agents Description menu.
  14. Type 9 and press Enter to load a configuration rule set for QRadar.
  15. In the Configuration file field, type the path to your QRadar configuration rule set file.

    Example:

    /sifitit/Qradarconfig.txt
  16. Press F3 to exit to the Work with SIFT-IT Agents Description menu.
  17. Type 11 to start the QRadar agent.

What to do next

Syslog events that are forwarded by Arpeggio SIFT-IT in LEEF format are automatically discovered by QRadar. In most cases, the log source is automatically created in QRadar after a few events are detected. If the event rate is low, you might be required to manually create a log source for Arpeggio SIFT-IT in QRadar.

Until the log source is automatically discovered and identified, the event type displays as Unknown on the Log Activity tab of QRadar.