The Syslog-ng Agent enables you to configure multiple destinations for your Windows based events.
About this task
To configure IBM®
QRadar® as a
destination, you must specify the IP address for QRadar, and then configure a
message template for the LEEF format.
Procedure
-
From the Start menu, select .
The Syslog-ng Agent window is displayed.
-
Expand the Syslog-ng Agent Settings pane, and click
Destinations.
-
Double-click Add new server.
The Server Property window is displayed.
-
Click the Server tab, and then click Set Primary
Server.
-
Configure the following parameters:
-
Click the Messages tab.
-
From the Protocol list, select Legacy BSD Syslog
Protocol.
-
In the Template field, define a custom template message for the protocol
by typing:
<${PRI}>${BSDDATE} ${HOST} LEEF:${MSG}
The information that is typed in this field is space delimited.
-
In the Event Message Format pane, in the Message
Template field, type or copy and paste the following text to define the format for the
LEEF events:
Note: It is suggested that you do not change the text.
1.0|Microsoft|Windows|2k8r2|${EVENT_ID}|devTime=${R_YEAR}-${R_MONTH}-${R_DAY}T${R_HOUR}:${R_MIN}:${R_SEC}GMT${TZOFFSET}
devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz cat=${EVENT_TYPE} sev=${EVENT_LEVEL} resource=${HOST}
usrName=${EVENT_USERNAME} application=${EVENT_SOURCE} message=${EVENT_MSG}
Note: The LEEF format uses tab as a delimiter to separate event attributes from each other. However,
the delimiter does not start until after the last pipe character for
{Event_ID}. The following fields must include a tab before the event name:
devTime, devTimeFormat, cat,
sev, resource, usrName,
application, and message.
You might need to use a text editor to copy and paste the LEEF message format into the
Message Template field.
-
Click OK.
The destination configuration is complete. You are now ready to restart the Syslog-ng Agent
service.