JDBC - SiteProtector protocol configuration options
You can configure log sources to use the Java™ Database Connectivity (JDBC) - SiteProtector protocol to remotely poll IBM® Proventia® Management SiteProtector® databases for events.
The JDBC - SiteProtector protocol is an outbound/active protocol that combines information from the SensorData1 and SensorDataAVP1 tables in the creation of the log source payload. The SensorData1 and SensorDataAVP1 tables are in the IBM Proventia® Management SiteProtector® database. The maximum number of rows that the JDBC - SiteProtector protocol can poll in a single query is 30,000 rows.
The following table describes the protocol-specific parameters for the JDBC - SiteProtector protocol:
Parameter | Description |
---|---|
Protocol Configuration | JDBC - SiteProtector |
Log Source Identifier |
Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured JDBC - SiteProtector log source, ensure that you give each one a unique name. |
Database Type | From the list, select MSDE as the type of database to use for the event source. |
Database Name | Type RealSecureDB as the name of the database to which the protocol can connect. |
IP or Hostname | The IP address or host name of the database server. |
Port | The port number that is used by the database server. The JDBC - SiteProtector configuration port must match the listener port of the database. The database must have incoming TCP connections enabled. If you define a Database Instance when with MSDE as the database type, you must leave the Port parameter blank in your log source configuration. |
Username | If you want to track access to a database by the JDBC protocol, you can create a specific user for your QRadar system. |
Authentication Domain | If you select MSDE and the database is configured for Windows, you must define a Windows domain. If your network does not use a domain, leave this field blank. |
Database Instance | If you select MSDE and you have multiple SQL server instances on one server, define the instance to which you want to connect. If you use a non-standard port in your database configuration, or access is blocked to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration. |
Predefined Query | The predefined database query for your log source. Predefined database queries are only available for special log source connections. |
Table Name | SensorData1 |
AVP View Name | SensorDataAVP |
Response View Name | SensorDataResponse |
Select List | Type * to include all fields from the table or view. |
Compare Field | SensorDataRowID |
Use Prepared Statements | Prepared statements allow the JDBC protocol source to set up the SQL statement, and then execute the SQL statement numerous times with different parameters. For security and performance reasons, use prepared statements. You can clear this check box to use an alternative method of querying that does not use pre-compiled statements. |
Include Audit Events | Specifies to collect audit events from IBM Proventia Management SiteProtector®. |
Start Date and Time | Optional. A start date and time for when the protocol can start to poll the database. |
Polling Interval | The amount of time between queries to the event table. You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. Numeric values without an H or M designator poll in seconds. |
EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The default is 5000. |
Database Locale | For multilingual installations, use the Database Locale field to specify the language to use. |
Database Codeset | For multilingual installations, use the Codeset field to specify the character set to use. |
Use Named Pipe Communication | If you are using Windows authentication, enable this parameter to allow authentication to the AD server. If you are using SQL authentication, disable Named Pipe Communication. |
Database Cluster Name | The cluster name to ensure that named pipe communications function properly. |
Use NTLMv2 | Forces MSDE connections to use the NTLMv2 protocol with SQL servers that require NTLMv2 authentication. The Use NTLMv2 check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication. |
Use SSL | Enables SSL encryption for the JDBC protocol. |
Log Source Language | Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. |