Honeycomb Lexicon File Integrity Monitor (FIM)
You can use the Honeycomb Lexicon File Integrity Monitor (FIM) DSM with IBM® QRadar® to collect detailed file integrity events from your network.
QRadar supports syslog events that are forwarded from Lexicon File Integrity Monitor installations that use Lexicon mesh v3.1 and later. The syslog events that are forwarded by Lexicon FIM are formatted as Log Event Extended Format (LEEF) events by the Lexicon mesh service.
To integrate Lexicon FIM events with QRadar, you must complete the following tasks:
- On your Honeycomb installation, configure the Lexicon mesh service to generate syslog events in LEEF.
- On your Honeycomb installation, configure any Lexicon FIM policies for your Honeycomb data collectors to forward FIM events to your QRadar Console or Event Collector.
- On your QRadar Console, verify that a Lexicon FIM log source is created and that events are displayed on the Log Activity tab.
- Optional. Ensure that no firewall rules block communication between your Honeycomb data collectors and the QRadar Console or Event Collector that is responsible for receiving events.