To forward events to QRadar, you must configure a
syslog destination on your IBM® Security Access Manager for
Enterprise Single Sign-On appliance.
Procedure
- Log in to the IMS Configuration Utility for IBM Security Access Manager for Enterprise Single Sign-On. For example, https://localhost:9043/webconf.
- From the navigation menu, select .
-
Configure the following syslog parameter options:
Table 1. Syslog parameters
Field
|
Description
|
Enable syslog |
From the Available Tables list, you must select the following tables, and
click Add.
- logUserService
- logUserActivity
- logUserAdminActivity
|
Syslog server port |
Type 514 as the port number used for forwarding events to QRadar.
|
Syslog server hostname |
Type the IP address or host name of your QRadar
Console or Event Collector.
|
Syslog logging facility |
Type an integer value to specify the facility of the events that are forwarded to QRadar. The default value is 20.
|
Syslog field-separator |
Type ### as the characters used to separate name-value pair entries in the
syslog payload.
|
-
Click Update to save the configuration.
-
Restart your IBM Security Access Manager for Enterprise
Single Sign-On appliance.
Results
The log source is added to QRadar as IBM Security Access Manager for Enterprise Single Sign-On syslog events are
automatically discovered. Events that are forwarded to QRadar are displayed on the
Log Activity tab.