Radware DefensePro

The Radware DefensePro DSM for IBM® QRadar® accepts events by using syslog. Event traps can also be mirrored to a syslog server.

Before you configure QRadar to integrate with a Radware DefensePro device, you must configure your Radware DefensePro device to forward syslog events to QRadar. You must configure the appropriate information by using the Device > Trap and SMTP option.

Any traps that are generated by the Radware device are mirrored to the specified syslog server. The current Radware Syslog server gives you the option to define the status and the event log server address.

You can also define more notification criteria, such as Facility and Severity, which are expressed by numerical values:

Facility is a user-defined value that indicates the type of device that is used by the sender. This criteria is applied when the device sends syslog messages. The default value is 21, meaning Local Use 6.
Severity indicates the importance or impact of the reported event. The Severity is determined dynamically by the device for each message sent.

In the Security Settings window, you must enable security reporting by using the connect and protect/security settings. You must enable security reports to syslog and configure the severity (syslog risk).

You are now ready to configure the log source in QRadar.

Tip: If you have custom events that display as unknown in QRadar, see the IBM Support article about QRadar: Custom events for Radware DefensePro display 'parsed, but not mapped' (https://www.ibm.com/support/pages/node/6960301).