IBM® Guardium®® is a database activity and audit tracking tool for system administrators to retrieve detailed auditing events across database platforms.
These instructions require that you install the 8.2p45 fix for InfoSphere® Guardium. For more information about this fix, see the Fix Central website at http://www.ibm.com/support/fixcentral/.
IBM QRadar® collects informational, error, alert, and warnings from IBM Guardium by using syslog. IBM QRadar receives IBM Guardium Policy Builder events in the Log Event Extended Format (LEEF).
QRadar can only automatically discover and map events of the default policies that ship with IBM Guardium. Any user configured events that are required are displayed as unknowns in QRadar and you must manually map the unknown events.
The following list outlines the process that is required to integrate IBM Guardium with QRadar.
- Create a syslog destination for policy violation events. For more information, see Creating a syslog destination for events.
- Configure your existing policies to generate syslog events. For more information, see Configuring policies to generate syslog events.
- Install the policy on IBM Guardium. For more information, see Installing an IBM Guardium Policy.
- Configure the log source in QRadar. For more information, see Syslog log source parameters for IBM Guardium.
- Identify and map unknown policy events in QRadar. For more information, see Creating an event map for IBM Guardium events.