When the Vormetric Data Security Manager is enabled to communicate with IBM
QRadar, all events from the
Vormetric Data Firewall FS Agents are also forwarded to the QRadar system through the
Vormetric Data Security Manager.
About this task
To bypass the Vormetric Data Security Manager, you can configure Vormetric Data Firewall FS
Agents to send LEEF events directly to the QRadar system.
Your Vormetric Data Security Manager user account must have System
Administrator permissions.
Procedure
-
Log in to your Vormetric Data Security Manager.
-
On the navigation menu, click .
-
Click the FS Agent Log tab.
-
In the Policy Evaluation row, configure the following parameters:
-
Select the Log to Syslog/Event Log check box.
-
Clear the Upload to Server check box.
-
From the Level list, select INFO.
This set up enables a full audit trail from the policy evaluation module to be sent directly to a
syslog server, and not to the Security Manager. Leaving both destinations enabled might result in
duplication of events to the QRadar system.
-
Under the Syslog Settings section, configure the following parameters. In the
Server field, use the following syntax to type the IP address or host name
and port number of your QRadar
system.
qradar_IP address_or_host:port
-
From the Protocol list, select TCP or a value
that matches the log source configuration on your QRadar system.
-
From the Message Format list, select LEEF.
What to do next
This configuration is applied to all hosts or host groups later added to the Vormetric Data
Security Manager. For each existing host or host group, select the required host or host group from
the Hosts list and repeat the procedure.