Configuring Epic SIEM 2022 to communicate with QRadar

To collect events in IBM QRadar, you must configure the messaging queue values on your Epic SIEM 2022 system.

Procedure

  1. Create two custom queues by following the steps in the Create an Interconnect Queue.
    Important: Verify that the EMPSYNC queue is synchronous and the EMPASYNC queue is asynchronous.
    Enter EMP as the Queue Type for both queues.
  2. Configure a new interconnect instance based on the SIEM use case.
  3. Configure the Syslog protocol.
  4. Click Epic System Definitions (%ZeUSTBL or Epic Application Access) > Client Systems > Epic System Definitions.
    Important: Epic System Definitions are accessible only to system administrators.
  5. Click Security > Auditing Options > SIEM Syslog Settings.
  6. Select SIEM Syslog Configuration, and configure the following parameters:
    Parameter Value
    SIEM Host Your QRadar Event Collector host name or IP address.
    SIEM Port 514
    SIEM Format LEEF (Log Event Extended Format)
    TCP Response No
    End Chars ENDTAGNULL.

    The tag <SyslogEnd> is sent and then 10.

    Starting in August 2023: Use TLS
  7. Return to the SIEM Syslog Settings Menu.
  8. If you want to reduce traffic that comes in to your SIEM system, disable the auditing events that your system does not require:
    1. Click SIEM Syslog Configuration Options > Edit Events List.
    2. From the Edit Events List, select T for each event that you want to disable.
    3. Click Q to quit.
  9. Select SIEM Syslog and set it to Enabled.
    Important: The SIEM Syslog Sending daemon is automatically started when the environment is set to runlevel Up or when you enable SIEM Syslog. If you want to stop the daemon, from the SIEM Syslog Settings menu, click SIEM Syslog and set it to Disabled.