IBM Security Access Manager for Enterprise Single Sign-On

You can use the IBM®® Security Access Manager for Enterprise Single Sign-On DSM for IBM QRadar to receive events that are forwarded by using syslog.

QRadar can collect events from IBM Security Access Manager for Enterprise Single Sign-On version 8.1 or 8.2.

Events that are forwarded by the IBM Security Access Manager for Enterprise Single Sign-On include audit, system, and authentication events.

Events are read from the following database tables and forwarded by using syslog:

• IMSLOGUserService
• IMSLOGUserAdminActivity
• IMSLOGUserActivity

All events that are forwarded to QRadar from IBM Security Access Manager for Enterprise Single Sign-On use ### as a syslog field-separator. IBM Security Access Manager for Enterprise Single Sign-On forwards events to QRadar by using UDP on port 514.

Before you begin

To configure syslog forwarding for events, you must be an administrator or your user account must include credentials to access the IMS Configuration Utility.

Any firewalls that are configured between your IBM Security Access Manager for Enterprise Single Sign-On and QRadar are ideally configured to allow UDP communication on port 514. This configuration requires you to restart your IBM Security Access Manager for Enterprise Single Sign-On appliance.