If you are using an LSM device, you need to configure LSM notification
contacts.
-
Log in to the TippingPoint system.
-
From the LSM menu, select .
The IPS Profile - Action Sets window is displayed.
-
Click the Notification Contacts tab.
-
In the Contacts List, click Remote System Log.
The Edit Notification Contact page is displayed.
-
Configure the following values:
-
Syslog Server - Type the IP address of the QRadar to receive syslog event
messages.
-
Port - Type 514 as the port address.
-
Alert Facility - Select none or a numeric value 0-31 from the list.
Syslog uses these numbers to identify the message source.
-
Block Facility - Select none or a numeric value 0-31 from the list.
Syslog uses these numbers to identify the message source.
-
Delimiter - Select TAB from the list.
-
Click Add to table below.
-
Configure a Remote system log aggregation period in minutes.
-
Click Save.
Note: If your QRadar is in a
different subnet than your TippingPoint device, you might have to add static routes. For more
information, see your vendor documentation.
What to do next
You are now ready to configure the action set for LSM, see Configuring an Action Set for LSM.