Fasoo Enterprise DRM
The IBM® QRadar® DSM for Fasoo Enterprise DRM (Digital Rights Management) collects logs from a Fasoo Enterprise DRM device.
|DSM name||Fasoo Enterprise DRM|
|RPM file name||DSM-FasooFED-QRadar_version-build_number.noarch.rpm|
|Event format||name-value pair (NVP)|
|Recorded event types||
|Includes custom properties?||No|
|More information||Fasoo website (http://en.fasoo.com/Fasoo-Enterprise-DRM)|
- If automatic updates are not enabled, download and install the most recent version of the
following RPMs from the IBM Support Website onto your QRadar
- JDBC Protocol RPM
- DSMCommon RPM
- FasooFED DSM RPM
- Configure a log source to connect to the Fasoo Enterprise DRM database and retrieve event.
- Add a Fasoo Enterprise DRM log source on the QRadar Console. The following
table describes the parameters that require specific values to collect event from Fasoo Enterprise
Table 2. Fasoo Enterprise DRM JDBC log source parameters Parameter Value Log Source type Fasoo Enterprise DRM Protocol Configuration JDBC Log Source Identifier
Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.
If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.
From the list, select the type of the Fasoo Enterprise DRM database.
Database Name The name of the Fasoo Enterprise DRM database. IP or Hostname The IP address or host name of the Fasoo Enterprise DRM database server. Port The port number that is used by the database server. Username The user name that is required to connect to the database. Password The password that is required to connect to the database. The password can be up to 255 characters in length. Confirm Password The confirmation password must be identical to the password that you typed for the Password parameter. Authentication Domain If you did not select Use Microsoft JDBC, Authentication Domain is displayed.
The domain for MSDE that is a Windows domain. If your network does not use a domain, leave this field blank.
Database Instance The database instance, if required. MSDE databases can include multiple SQL server instances on one server.
When a non-standard port is used for the database or access is blocked to port 1434 for SQL database resolution, the Database Instance parameter must be blank in the log source configuration.
Predefined Query (Optional)
Select a predefined database query for the log source. If a predefined query is not available for the log source type, administrators can select the none option.
Table Name view_fut_log
The name of the view that includes the event records.
Select List Type an asterisk (*) to select all fields from the table or view.
The list of fields to include when the table is polled for events.
Compare Field log_date
The Compare Field is used to identify new events that are added between queries to the table.
Start Date and Time (Optional) Type the start date and time for database polling in the following format: yyyy-MM-dd HH:mm, with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval. Use Prepared Statements Select the check box if you want to use prepared statements.
Prepared statements enable the JDBC protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most JDBC protocol configurations can use prepared statements.
Polling Interval The amount of time between queries to the event table. The default polling interval is 10 seconds. You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds. EPS Throttle The number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS. Use Named Pipe Communication
If you did not select Use Microsoft JDBC, Use Named Pipe Communication is displayed.MSDE databases require the user name and password field to use a Windows authentication user name and password and not the database user name and password. The log source configuration must use the default that is named pipe on the MSDE database.
Database Cluster Name If you selected Use Named Pipe Communication, the Database parameter displays. If you are running your SQL server in a cluster environment, define the cluster name to ensure named pipe communication functions properly. Use NTLMv2
If you did not select Use Microsoft JDBC, Use NTLMv2 is displayed.
Select this option if you want MSDE connections to use the NTLMv2 protocol when they are communicating with SQL servers that require NTLMv2 authentication. This option does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.
Does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.
Use Microsoft JDBC If you want to use the Microsoft JDBC driver, you must enable Use Microsoft JDBC. Use SSL Select this option if your connection supports SSL. Microsoft SQL Server Hostname If you selected Use Microsoft JDBC and Use SSL, the Microsoft SQL Server Hostname parameter is displayed.
You must type the host name for the Microsoft SQL server.
For more information about configuring JDBC parameters, see c_logsource_JDBCprotocol.html
- Verify that QRadar is
configured correctly.The following table shows a sample normalized event message from Fasoo Enterprise DRM:
Table 3. Fasoo Enterprise DRM sample message Event name Low level category Sample log message Edit - successful Update Activity Succeeded
log_id: "xxxxxxxxxxxxxxxxxxxxxx" log_date: "2016-03-21 14:17:36.000" log_type: "1" product: "1" purpose: "16" usage_result: "1" license_status: "0" ip: "<Numeric>" user_code: "usercode" user_name: "username" user_dept_code: "xxxxxxxxxxxxxxxxxxxx" user_dept_name: "userdeptname" position_code: "P001" position_name: "Employee" content_code: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" current_content_name: "New Microsoft PowerPoint Presentation.pptx" content_name: "New Microsoft PowerPoint Presentation.pptx" sec_level_code: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" sec_level_name: "Basic" system_code: "NULL" system_name: "NULL" owner_code: "ownercode" owner_name: "ownername" owner_dept_code: "xxxxxxxxxxxxxxxxxxxx" owner_dept_name: "ownerdeptname" content_create-date: "2016-03-21 03:41:28.000" entry_date: "2016-03-21 13:18:26.670"