Configuring syslog forwarding

To forward events to QRadar, you must configure a syslog destination on your IBM® Security Access Manager for Enterprise Single Sign-On appliance.

Procedure

  1. Log in to the IMS Configuration Utility for IBM Security Access Manager for Enterprise Single Sign-On. For example, https://localhost:9043/webconf.
  2. From the navigation menu, select Advanced Settings > IMS Server > Logging > Syslog.
  3. Configure the following syslog parameter options:
    Table 1. Syslog parameters

    Field

    Description

    Enable syslog

    From the Available Tables list, you must select the following tables, and click Add.

    • logUserService
    • logUserActivity
    • logUserAdminActivity
    Syslog server port

    Type 514 as the port number used for forwarding events to QRadar.

    Syslog server hostname

    Type the IP address or host name of your QRadar Console or Event Collector.

    Syslog logging facility

    Type an integer value to specify the facility of the events that are forwarded to QRadar. The default value is 20.

    Syslog field-separator

    Type ### as the characters used to separate name-value pair entries in the syslog payload.

  4. Click Update to save the configuration.
  5. Restart your IBM Security Access Manager for Enterprise Single Sign-On appliance.

Results

The log source is added to QRadar as IBM Security Access Manager for Enterprise Single Sign-On syslog events are automatically discovered. Events that are forwarded to QRadar are displayed on the Log Activity tab.