All event types are sent to IBM
QRadar by using a remote syslog
alert object that is LEEF enabled.
About this task
Remote syslog alert objects can be created, edited, and deleted from each context in which an
event is generated. Log in to the IBM QRadar Network Security XGS local
management interface as admin to configure a remote syslog alert object, and go to one of the
following menus:
- (System events)
- (Access events)
- (Security events)
- (Security events)
In the IPS Objects, the Network Objects pane, or the
System Alerts page, complete the following steps.
Procedure
-
Click .
-
Select an existing remote syslog alert object, and then click Edit.
-
Configure the following options:
Table 1. Syslog configuration parameters
Option
|
Description
|
Name |
Type a name for the syslog alert configuration.
|
Remote Syslog Collector |
Type the IP address of your QRadar
Console or Event Collector.
|
Remote Syslog Collector Port |
Type 514 for the Remote Syslog Collector Port.
|
Remote LEEF Enabled |
Select this check box to enable LEEF formatted events. This is a required field.
If you do not see this option, verify that you have software version 5.0 with fixpack 7 to v5.4
installed on your IBM®
QRadar Security Network
appliance.
|
Comment |
Typing a comment for the syslog configuration is optional.
|
-
Click Save Configuration.
The alert is added to the Available Objects list.
-
To update your IBM
QRadar Network Security XGS
appliance, click Deploy.
-
Add the LEEF alert object for QRadar to the following
locations:
- One or more rules in a policy
- Added Objects pane on the System Alerts page
-
Click Deploy
For more information about the Network Security XGS device, click Help in
the QRadar Network Security
XGS local management interface browser client window or access the online IBM QRadar Network Security XGS
documentation.