Configuring Raz-Lee iSecurity

To collect security and audit events, you must configure your Raz-Lee iSecurity installation to forward syslog events to IBM QRadar.

Procedure

  1. Log in to the IBM i command-line interface.
  2. Type the following command to access the audit menu options:

    STRAUD

  3. From the Audit menu, select 81. System Configuration.
  4. From the iSecurity/Base System Configuration menu, select 31. SYSLOG Definitions.
  5. Configure the following parameters:
    1. Send SYSLOG message - Select Yes.
    2. Destination address - Type the IP address of QRadar.
    3. "Facility" to use - Type a facility level.
    4. "Severity" range to auto send - Type a severity level.
    5. Message structure - Type any additional message structure parameters that are needed for your syslog messages.

What to do next

Syslog events that are forwarded by Raz-Lee iSecurity are automatically discovered by QRadar by the IBM i DSM. In most cases, the log source is automatically created in QRadar after a few events are detected. If the event rate is low, then you might be required to manually create a log source for Raz-Lee iSecurity in QRadar.

Until the log source is automatically discovered and identified, the event type displays as Unknown on the Log Activity tab of QRadar.