Configuring Palo Alto Endpoint Security Manager to communicate with QRadar

Before IBM® QRadar® can collect events from Palo Alto Endpoint Security Manager, you must configure Palo Alto Endpoint Security Manager to send events to QRadar.


  1. Log in to the Endpoint Security Manager (ESM) Console.
  2. Click Settings > ESM.
  3. Click Syslog, and then select Enable Syslog.
  4. Configure the syslog parameters:
    Parameter Value
    Syslog Server Host name or IP address of the QRadar server.
    Syslog Port 514
    Syslog Protocol LEEF
    Keep-alive-timeout 0
    Send reports interval Frequency (in minutes), in which Traps sends logs from the endpoint. The default is 10. The range is 1 - 2,147,483,647.
    Syslog Communication Protocol Transport layer protocol that the ESM Console uses to send syslog reports by using UDP, TCP, or TCP with SSL.
  5. In the Logging Events area, select the types of events that you want to send to QRadar.
  6. Click Check Connectivity. The ESM Console sends a test communication to the syslog server by using the information on the Syslog page. If the test message is not received, verify that the settings are correct, and then try again.