BalaBit IT Security for Microsoft ISA or TMG Events

You can integrate the BalaBit Syslog-ng Agent application to forward syslog events to IBM® QRadar®.

The BalaBit Syslog-ng Agent reads Microsoft ISA or Microsoft TMG event logs, and forwards syslog events by using the Log Event Extended Format (LEEF).

The events that are forwarded by BalaBit IT Security are parsed and categorized by the Microsoft Internet and Acceleration (ISA) DSM for QRadar. The DSM accepts both Microsoft ISA and Microsoft Threat Management Gateway (TMG) events.

Before you begin

Before you can receive events from BalaBit IT Security Syslog-ng Agents you must install and configure the agent to forward events.

Note: This integration uses BalaBit's Syslog-ng Agent for Windows and BalaBit's Syslog-ng PE to parse and forward events to QRadar for the DSM to interpret.

Review the following configuration steps before you attempt to configure the BalaBit Syslog-ng Agent:

To configure the BalaBit Syslog-ng Agent, you must take the following steps:

  1. Install the BalaBit Syslog-ng Agent on your Windows host. For more information, see your BalaBit Syslog-ng Agent vendor documentation.
  2. Configure the BalaBit Syslog-ng Agent.
  3. Install a BalaBit Syslog-ng PE for Linux® or Unix in relay mode to parse and forward events to QRadar. For more information, see your BalaBit Syslog-ng PE vendor documentation.
  4. Configure syslog for BalaBit Syslog-ng PE.
  5. Optional. Configure the log source in QRadar.