Configuring FORCEPOINT Stonesoft Management Center to communicate with QRadar

Configure Stonesoft Management Center to communicate with QRadar® by editing the LogServerConfiguration.txt file. Configuring the text file allows Stonesoft Management Center to forward events in LEEF format by using syslog to QRadar.

Procedure

  1. Log in to the appliance that hosts your Stonesoft Management Center.
  2. Stop the Stonesoft Management Center Log Server.
  3. In Windows, select one of the following methods to stop the Log Server.
    • Stop the Log Server in the Windows Services list.
    • Run the batch file <installation path>/bin/sgStopLogSrv.bat.
    In Linux® - To stop the Log Server in Linux, run the script <installation path>/bin/sgStopLogSrv.sh
  4. Edit the LogServerConfiguration.txt file. The configuration file is located in the following directory:

    <installation path>/data/LogServerConfiguration.txt

  5. Configure the following parameters in the LogServerConfiguration.txt file:
    Table 1. Log server configuration options

    Parameter

    Value

    Description

    SYSLOG_EXPORT_FORMAT

    LEEF

    Type LEEF as the export format to use for syslog.

    SYSLOG_EXPORT_ALERT

    		 YES | NO

    Type one of the following values:

    • Yes - Exports alert entries to QRadar by using the syslog protocol.
    • No - Alert entries are not exported.

    SYSLOG_EXPORT_FW

    		 YES | NO

    Type one of the following values:

    • Yes - Exports firewall and VPN entries to QRadar by using the syslog protocol.
    • No - Firewall and VPN entries are not exported.

    SYSLOG_EXPORT_IPS

    		 YES | NO

    Type one of the following values:

    • Yes - Exports IPS logs to QRadar by using the syslog protocol.
    • No - IPS logs are not exported.

    SYSLOG_PORT

    514

    Type 514 as the UDP port for forwarding syslog events to QRadar.

    SYSLOG_SERVER_ADDRESS

    QRadar IPv4 Address

    Type the IPv4 address of your QRadar Console or Event Collector.

  6. Save the LogServerConfiguration.txt file.
  7. Start the Log Server.
    • Windows - Type <installation path>/bin/sgStartLogSrv.bat.
    • Linux - Type <installation path>/bin/sgStartLogSrv.sh.

    For detailed configuration instructions, see the StoneGate Management Center Administrator's Guide.

What to do next

You are now ready to configure a traffic rule for syslog.

Note: A firewall rule is only required if your QRadar Console or Event Collector is separated by a firewall from the Stonesoft Management Server. If no firewall exists between the Stonesoft Management Server and QRadar, you need to configure the log source in QRadar.