Configuring a Cisco IronPort and Cisco ESA log source by using the log file protocol
You can configure a log source on the QRadar® Console so that Cisco IronPort and Cisco Email Security Appliance (ESA) can communicate with QRadar by using the log file protocol.
|Log Source type||Cisco IronPort|
|Protocol Configuration||Log File Protocol|
|Log Source Identifier||The Log Source Identifier can be any valid value, including the same value as the Log Source Name parameter, and doesn't need to reference a specific server.|
From the list, select the protocol that you want to use when retrieving log files from a remote server. The default is SFTP.
The underlying protocol that is used to retrieve log files for the SCP and SFTP service type requires that the server that is specified in the Remote IP or Hostname field has the SFTP subsystem enabled.
|Remote IP or Hostname||Type the IP address or host name of the device that contains the event log files.|
Type the port that is used to communicate with the remote host. The valid range is 1 - 65535. The options include:
|Remote User||Type the user name necessary to log in to the host that contains the event files.|
|Remote Password||Type the password necessary to log in to the host.|
|Confirm Password||Confirm the password necessary to log in to the host.|
|SSH Key File||
If the system is configured to use key authentication, type the path to the SSH key.
When an SSH key file is used, the Remote Password field is ignored.
Type the directory location on the remote host from which the files are retrieved. The directory path is relative to the user account that is used to log in.
For FTP only. If the log files are in the remote user’s home directory, you can leave the remote directory blank. A blank remote directory field supports systems where a change in the working directory (CWD) command is restricted.
Select this check box to enable the file pattern to search sub folders. By default, the check box is clear.
This option is ignored for SCP file transfers.
|FTP File Pattern||Must use a regular expression that matches the log files that are generated.
The FTP file
pattern that you specify must match the name that you assigned to your event files. For example, to
collect files that end with .log, type the following command:
For more information, see the Oracle Java documentation (http://docs.oracle.com/javase/tutorial/essential/regex/).
Type the time of day for the log source to start the file import.
This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files.
Type a time interval to determine how frequently the remote directory is scanned for new event log files. The minimum value is 15 minutes.
The time interval can include values in hours (H), minutes (M), or days (D). For example, a recurrence of 2H scans the remote directory every 2 hours.
|Run On Save||
Select this check box to start the log file import immediately after the administrator saves the log source.
After the first file import, the log file protocol follows the start time and recurrence schedule that is defined by the administrator.
When selected, this check box clears the list of previously downloaded and processed files.
Type the number of Events Per Second (EPS) that the protocol cannot exceed.
The valid range is 100 - 5000.
From the list, select gzip.
|Ignore Previously Processed File(s)||
Select this check box to track files that were processed by the log file protocol. QRadar examines the log files in the remote directory to determine if a file was previously processed by the log file protocol. If a previously processed file is detected, the log file protocol does not download the file for processing. All files that weren't previously processed are downloaded.
This option only applies to FTP and SFTP Service Types.
|Change Local Directory?||
Select this check box to define the local directory on the QRadar Console for storing downloaded files during processing.
Administrators can leave this check box clear for more configurations. When this check box is selected, the Local Directory field is displayed so that you can configure the local directory to use for storing files.
|Event Generator||W3C. The Event Generator uses W3C to process the web content filter log files.|
|File Encoding||From the list box, select the character encoding that is used by the events in your log file.|
Type the character that is used to separate folders for your operating system. The default value is /.
Most configurations can use the default value in Folder Separator field.
This field is intended for operating systems that use a different character to define separate folders. For example, periods that separate folders on mainframe systems.