Configuring BeyondTrust PowerBroker to communicate with QRadar
If you use a Linux®, Unix or AIX® operating system, complete the following procedure.
BeyondTrust pblogs must be reformatted by using a script and then forwarded to IBM QRadar. You need to download and configure a script for your BeyondTrust PowerBroker appliance before you can forward events to QRadar.
Procedure
-
Download the following file from the IBM® support website
(http://www.ibm.com/support):
pbforwarder.pl.gz
-
Copy the file to the device that hosts BeyondTrust PowerBroker.
Note: Perl 5.8 must be installed on the device that hosts BeyondTrust PowerBroker.
- Type the following command to extract the file:
gzip -d pbforwarder.pl.gz
- Type the following command to set the script file permissions:
chmod +x pbforwarder.pl
-
Use SSH to log in to the device that hosts BeyondTrust PowerBroker.
The credentials that are used need to have read, write, and execute permissions for the log file.
-
Type the appropriate command parameters:
Table 1. Command parameters Parameters
Description
-h The -h parameter defines the syslog host that receives the events from BeyondTrust PowerBroker. This is the IP address of your QRadar Console or QRadar Event Collector.
-t The -t parameter defines that the command-line is used to tail the log file and monitor for new output from the listener.
For PowerBroker, this command must be specified as
"pblog -l -t"
.-p The -p parameter defines the TCP port to be used when forwarding events.
If nothing is specified, the default is port 514.
-H The -H parameter defines the host name or IP address for the syslog header of all sent events. This should be the IP address of the BeyondTrust PowerBroker.
-r The -r parameter defines the directory name where you want to create the process ID (.pid) file. The default is /var/run.
This parameter is ignored if -D is specified.
-l The -l parameter defines the directory name where you want to create the lock file. The default is /var/lock.
This parameter is ignored if -D is specified.
-D The -D parameter defines that the script runs in the foreground.
The default setting is to run as a daemon and log all internal messages to the local syslog server.
-f The -f parameter defines the syslog facility and optionally, the severity for messages that are sent to the Event Collector.
If no value is specified,
user.info
is used.-a The -a parameter enables an AIX compatible ps method.
This command is only needed when you run BeyondTrust PowerBroker on AIX systems.
-d The -d parameter enables debug logging.
-v The -v parameter displays the script version information.
-
Type the following command to start the pbforwarder.pl script. Use the
following example as a guide. pbforwarder.pl -h <IP address> -t "pblog -l -t"
Where
<IP address>
is the IP address of your QRadar or Event Collector. - Optional: If you want to stop the script from forwarding events to QRadar, type the following command
to stop the pbforwarder.pl script:
kill -QUIT `cat /var/run/pbforwarder.pl.pid`
- Optional: If the script loses connection or stops working, type the following
command to reconnect the pbforwarder.pl script:
kill -HUP `cat /var/run/pbforwarder.pl.pid`
QRadar automatically detects and creates a log source from the syslog events that are forwarded from a BeyondTrust PowerBroker.