Configuring Vormetric Data Firewall FS Agents to bypass Vormetric Data Security Manager

When the Vormetric Data Security Manager is enabled to communicate with IBM QRadar, all events from the Vormetric Data Firewall FS Agents are also forwarded to the QRadar system through the Vormetric Data Security Manager.

About this task

To bypass the Vormetric Data Security Manager, you can configure Vormetric Data Firewall FS Agents to send LEEF events directly to the QRadar system.

Your Vormetric Data Security Manager user account must have System Administrator permissions.

Procedure

  1. Log in to your Vormetric Data Security Manager.
  2. On the navigation menu, click System > Log Preferences.
  3. Click the FS Agent Log tab.
  4. In the Policy Evaluation row, configure the following parameters:
    1. Select the Log to Syslog/Event Log check box.
  5. Clear the Upload to Server check box.
  6. From the Level list, select INFO.

    This set up enables a full audit trail from the policy evaluation module to be sent directly to a syslog server, and not to the Security Manager. Leaving both destinations enabled might result in duplication of events to the QRadar system.

  7. Under the Syslog Settings section, configure the following parameters. In the Server field, use the following syntax to type the IP address or host name and port number of your QRadar system.

    qradar_IP address_or_host:port

  8. From the Protocol list, select TCP or a value that matches the log source configuration on your QRadar system.
  9. From the Message Format list, select LEEF.

What to do next

This configuration is applied to all hosts or host groups later added to the Vormetric Data Security Manager. For each existing host or host group, select the required host or host group from the Hosts list and repeat the procedure.