Configuring Enterprise-IT-Security.com SF-Sherlock to communicate with QRadar
Before you can send SF-Sherlock events and assessment details to QRadar®, implement the SF-Sherlock 2 QRadar connection kit.
The information that is sent to QRadar can be defined and selected in detail. Regardless of the selected transfer method, all information reaches QRadar as LEEF-formatted records.
About this task
- Install the UMODQR01 and UMODQR02 SF-Sherlock SMP/E user modifications by using the corresponding SHERLOCK.SSHKSAMP data set members.
- If you send SF-Sherlock’s LEEF records to a QRadar syslog daemon, which is generally the preferred transfer method, you must install the SF-Sherlock universal syslog message router in the USS environment of z/OS®. You will find all installation details within the UNIXCMDL member of the SHERLOCK.SSHKSAMP data set.
- Optional: If you transfer the logs by FTP or another technique, you must adapt the UMODQR01 user modification.
- Enter the IP address for the QRadar LEEF syslog server, transfer method (UDP or TCP), and port number (514) in the QRADARSE member of SF-Sherlock’s init-deck parameter configuration file.
- Allocate the QRadar related log data set by using the ALLOCQRG job of the SHERLOCK.SSHKSAMP data set. It is used by the SHERLOCK started procedure (STC) to keep all QRadar LEEF records transferring to QRadar.
- The QRDARTST member of the SHERLOCK.SSHKSAMP data set can be used to test the SF-Sherlock 2 QRadar message routing connection. If QRadar receives the test events, the implementation was successful.
- Enable the SF-Sherlock 2 QRadar connection in your SF-Sherlock
installation by activating QRADAR00 (event monitoring) and optionally,
the QRADAR01 (assessment details) init-deck members,
through the already prepared
ADD QRADARxxstatements within the $BUILD00 master control member.
- Refresh or recycle the SHERLOCK started procedure to activate the new master control member that enables the connection of SF-Sherlock to QRadar.