Configuring Cilasoft QJRN/400
To collect events, you must configure queries on your Cilasoft QJRN/400® to forward syslog events to IBM QRadar.
Procedure
-
To start the Cilasoft Security Suite, type the following command:
IJRN/QJRN
The account that is used to make configuration changes must have ADM privileges or USR privileges with access to specific queries through an Extended Access parameter.
-
To configure the output type, select one of the following options:
To edit several selected queries, type 2EV to access the Execution Environment and change the Output Type field and type SEM.
- To edit large numbers of queries, type the command CHGQJQRYA and change the Output Type field and type SEM.
-
On the Additional Parameters screen, configure the following parameters:
Table 1. Cilasoft QJRN/400 output parameters Parameter
Description
Format Type *LEEF to configure the syslog output to write events in Log Event Extended Format (LEEF).
LEEF is a special event format that is designed to for IBM QRadar.
Output To configure an output type, use one of the following parameters to select an output type:
*SYSLOG - Type this parameter to forward events with the syslog protocol. This option provides real-time events.
*IFS - Type this parameter to write events to a file with the integrated file system. This option requires the administrator to configure a log source with the log file protocol. This option writes events to a file, which can be read in only 15-minute intervals.
IP Address Enter the IP address of your IBM QRadar system.
If an IP address for IBM QRadar is defined as a special value in the WRKQJVAL command, you can type *CFG.
Events can be forwarded to either the QRadar Console, an Event Collector, an Event Processor, or your IBM QRadar all-in-one appliance.
Port Type 514 or *CFG as the port for syslog events.
By default, *CFG automatically selects port 514.
Tag This field is not used by IBM QRadar.
Facility This field is not used by IBM QRadar.
Severity Select a value for the event severity.
For more information about severity that is assigned to *QRY destinations, look up the command WRKQJFVAL in your Cilasoft documentation.
For more information on Cilasoft configuration parameters, see the Cilasoft QJRN/400 User's Guide.
Syslog events that are forwarded to IBM QRadar are viewable on the Log Activity tab.