You must configure your Broadcom Symantec SiteMinder appliance to forward syslog-ng
events to your QRadar
Console or Event Collector.
About this task
IBM
QRadar can collect
syslog-ng events from TCP or UDP syslog sources on port 514.
To configure syslog-ng for Symantec SiteMinder:
Procedure
-
Using SSH, log in to your Symantec SiteMinder appliance as a root user.
-
Edit the syslog-ng configuration file.
-
Add the following information to specify the access log as the event file for syslog-ng:
source s_siteminder_access { file("/opt/apps/siteminder/sm66/siteminder/log/smaccess.log"); };
-
Add the following information to specify the destination and message template:
destination d_remote_q1_siteminder {udp("<QRadar IP>" port(514) template ("$PROGRAM $MSG\n"));};
Where <QRadar IP> is the IP address of the QRadar
Console or Event Collector.
-
Add the following log entry information:
log {source(s_siteminder_access);destination(d_remote_q1_siteminder);};
-
Save the syslog-ng.conf file.
-
Type the following command to restart syslog-ng:
service syslog-ng restart
After the syslog-ng service restarts, the Symantec SiteMinder configuration is complete. Events
that are forwarded to QRadar
by Symantec SiteMinder are displayed on the Log Activity tab.