Configuring syslog-ng for Broadcom Symantec SiteMinder

You must configure your Broadcom Symantec SiteMinder appliance to forward syslog-ng events to your QRadar Console or Event Collector.

About this task

IBM QRadar can collect syslog-ng events from TCP or UDP syslog sources on port 514.

To configure syslog-ng for Symantec SiteMinder:

Procedure

  1. Using SSH, log in to your Symantec SiteMinder appliance as a root user.
  2. Edit the syslog-ng configuration file.

    /etc/syslog-ng.conf

  3. Add the following information to specify the access log as the event file for syslog-ng:
    source s_siteminder_access { file("/opt/apps/siteminder/sm66/siteminder/log/smaccess.log"); };
  4. Add the following information to specify the destination and message template:
    destination d_remote_q1_siteminder {udp("<QRadar IP>" port(514) template ("$PROGRAM $MSG\n"));};

    Where <QRadar IP> is the IP address of the QRadar Console or Event Collector.

  5. Add the following log entry information:
    log {source(s_siteminder_access);destination(d_remote_q1_siteminder);};
  6. Save the syslog-ng.conf file.
  7. Type the following command to restart syslog-ng:

    service syslog-ng restart

    After the syslog-ng service restarts, the Symantec SiteMinder configuration is complete. Events that are forwarded to QRadar by Symantec SiteMinder are displayed on the Log Activity tab.