Configuring BeyondTrust PowerBroker to communicate with QRadar

If you use a Linux®, Unix or AIX® operating system, complete the following procedure.

BeyondTrust pblogs must be reformatted by using a script and then forwarded to IBM QRadar. You need to download and configure a script for your BeyondTrust PowerBroker appliance before you can forward events to QRadar.

Procedure

  1. Download the following file from the IBM® support website (http://www.ibm.com/support):

    pbforwarder.pl.gz

  2. Copy the file to the device that hosts BeyondTrust PowerBroker.
    Note: Perl 5.8 must be installed on the device that hosts BeyondTrust PowerBroker.
  3. Type the following command to extract the file:

    gzip -d pbforwarder.pl.gz

  4. Type the following command to set the script file permissions:

    chmod +x pbforwarder.pl

  5. Use SSH to log in to the device that hosts BeyondTrust PowerBroker.

    The credentials that are used need to have read, write, and execute permissions for the log file.

  6. Type the appropriate command parameters:
    Table 1. Command parameters

    Parameters

    Description

    -h

    The -h parameter defines the syslog host that receives the events from BeyondTrust PowerBroker. This is the IP address of your QRadar Console or QRadar Event Collector.

    -t

    The -t parameter defines that the command-line is used to tail the log file and monitor for new output from the listener.

    For PowerBroker, this command must be specified as "pblog -l -t".

    -p

    The -p parameter defines the TCP port to be used when forwarding events.

    If nothing is specified, the default is port 514.

    -H

    The -H parameter defines the host name or IP address for the syslog header of all sent events. This should be the IP address of the BeyondTrust PowerBroker.

    -r

    The -r parameter defines the directory name where you want to create the process ID (.pid) file. The default is /var/run.

    This parameter is ignored if -D is specified.

    -l

    The -l parameter defines the directory name where you want to create the lock file. The default is /var/lock.

    This parameter is ignored if -D is specified.

    -D

    The -D parameter defines that the script runs in the foreground.

    The default setting is to run as a daemon and log all internal messages to the local syslog server.

    -f

    The -f parameter defines the syslog facility and optionally, the severity for messages that are sent to the Event Collector.

    If no value is specified, user.info is used.

    -a

    The -a parameter enables an AIX compatible ps method.

    This command is only needed when you run BeyondTrust PowerBroker on AIX systems.

    -d

    The -d parameter enables debug logging.

    -v

    The -v parameter displays the script version information.

  7. Type the following command to start the pbforwarder.pl script. Use the following example as a guide.
    pbforwarder.pl -h <IP address> -t "pblog -l -t"

    Where <IP address> is the IP address of your QRadar or Event Collector.

  8. Optional: If you want to stop the script from forwarding events to QRadar, type the following command to stop the pbforwarder.pl script:

    kill -QUIT `cat /var/run/pbforwarder.pl.pid`

  9. Optional: If the script loses connection or stops working, type the following command to reconnect the pbforwarder.pl script:

    kill -HUP `cat /var/run/pbforwarder.pl.pid`

    QRadar automatically detects and creates a log source from the syslog events that are forwarded from a BeyondTrust PowerBroker.