Configuring IBM QRadar Network Security XGS Alerts

All event types are sent to IBM QRadar by using a remote syslog alert object that is LEEF enabled.

About this task

Remote syslog alert objects can be created, edited, and deleted from each context in which an event is generated. Log in to the IBM QRadar Network Security XGS local management interface as admin to configure a remote syslog alert object, and go to one of the following menus:

  • Manage > System Settings > System Alerts (System events)
  • Secure > Network Access Policy (Access events)
  • Secure > IPS Event Filter Policy (Security events)
  • Secure > Intrusion Prevention Policy (Security events)
  • Secure > Network Access Policy > Inspection > Intrusion Prevention Policy

In the IPS Objects, the Network Objects pane, or the System Alerts page, complete the following steps.

Procedure

  1. Click New > Alert > Remote Syslog.
  2. Select an existing remote syslog alert object, and then click Edit.
  3. Configure the following options:
    Table 1. Syslog configuration parameters

    Option

    Description

    Name

    Type a name for the syslog alert configuration.

    Remote Syslog Collector

    Type the IP address of your QRadar Console or Event Collector.

    Remote Syslog Collector Port

    Type 514 for the Remote Syslog Collector Port.

    Remote LEEF Enabled

    Select this check box to enable LEEF formatted events. This is a required field.

    If you do not see this option, verify that you have software version 5.0 with fixpack 7 to v5.4 installed on your IBM® QRadar Security Network appliance.

    Comment

    Typing a comment for the syslog configuration is optional.

  4. Click Save Configuration.

    The alert is added to the Available Objects list.

  5. To update your IBM QRadar Network Security XGS appliance, click Deploy.
  6. Add the LEEF alert object for QRadar to the following locations:
    • One or more rules in a policy
    • Added Objects pane on the System Alerts page
  7. Click Deploy

    For more information about the Network Security XGS device, click Help in the QRadar Network Security XGS local management interface browser client window or access the online IBM QRadar Network Security XGS documentation.