Configuring Epic SIEM 2015 to communicate with QRadar

To collect events in IBM QRadar, you must configure the messaging queue values on your Epic SIEM 2015 system.

Procedure

  1. From the command line, select Interconnect Administrator's Menu > Messaging Queues Setup.
  2. Type an asterisk (*) to create the EMPSYNC queue.
  3. Enter the queue values identified in the following table for each of the prompts.
    Table 1. Queue values for EMPSYNC prompts
    Prompt Value
    Queue ID Type an ID for the queue.
    Queue Name EMPSYNC
    Descriptor EMPSYNC
    Run on Node Press the Enter key. The value is automatically populated.
    IC Servers Press the Enter key, without typing a value.
    Edit advanced settings for this queue? Yes
    Does this queue handle synchronous outgoing messages? Yes
    Associate this descriptor with a queue type for outgoing communication? Yes
    Queue Type EMP
  4. Type an asterisk (*) to create the EMPASYNC queue.
  5. Enter the queue values identified in the following table for each of the prompts.
    Table 2. Queue values for EMPASYNC prompts
    Prompt Value
    Queue ID Type an ID for the queue.
    Queue Name EMPASYNC
    Descriptor EMPASYNC
    Run on Node Press the Enter key. The value is automatically populated.
    IC Servers Press the Enter key, without typing a value.
    Edit advanced settings for this queue? Yes
    Does this queue handle synchronous outgoing messages? No
    Associate this descriptor with a queue type for outgoing communication? Yes
    Queue Type EMP
  6. Deploy a new interconnect instance by using Kuiper.
  7. Access the Interconnect Configuration Editor in Windows, by clicking Start > Epic 2015 > Interconnect > your_instance > Configuration Editor.
  8. Select the General Web Service Host role.
  9. In Cache Connections, manually add the queue by the queue type, EMP.
  10. Set the number of threads to 2.

    For more information about thread count recommendations, refer to your Epic documentation.

    Important: Do not enable any services on the Business Services tab.
  11. Log in to your Epic server.
  12. Click Epic System Definitions (%ZeUSTBL) > Security > Auditing Options > SIEM Syslog Settings.
  13. Select SIEM Syslog Configuration, and then configure the following parameters:
    Parameter Value
    SIEM Host Your QRadar Event Collector host name or IP address.
    SIEM Port 514
    SIEM Format LEEF (Log Event Extended Format)
    Check Application Layer Response Disable
  14. Return to the SIEM Syslog Settings Menu.
  15. Select SIEM Syslog and set it to Enabled.
    Note: The SIEM Syslog Sending daemon is automatically started when the environment is set to runlevel Up or when you enable SIEM Syslog. If you want to stop the daemon, from the SIEM Syslog Settings menu, click SIEM Syslog and set it to Disabled.