Configure HPE Network Automation Software to send LEEF events to IBM
QRadar.
Before you begin
You must have administrator access to the HPE Network Automation Software user
interface.
Procedure
-
Log in to the HPE Network Automation Software user interface.
-
In the Admin menu, select Event Notification & Response
Rules.
-
Click New Event Notification & Respone Rule.
-
Configure the parameters for HPE Network Automation.
The following table describes the parameter values to send LEEF events to QRadar:
Parameter |
Value |
Add Email and Event Rule named |
You can use any string. For example, QRadar_logs. |
To take this action |
Select Send Syslog Message from the list.
|
When the following events occur |
- Select all of the events.
- Enable the of any importance button.
- To take action for For Policy No-Compliance events, enable the for all
policies button.
|
Rule Status |
Enable the Active button. |
Syslog Hostname |
QRadar host name or IP
address. |
Syslog Port |
514 |
Syslog Message |
LEEF:1.0|HP|Network Automation|v10|$EventType$|devTime=$EventDate$ devTimeFormat=EEE MMM dd HH:mm:ss Z yyyy src=$IPAddress$ eventId=$EventID$ usrName=$EventUserName$ eventText=$EventText$
Tip: All event attributes are tab delimited. For example, devTime, devTimeFormat, and
more. Copy the Syslog Message value into a text editor, and then verify that
the attributes are tab delimited and remove any new line characters. The version number v10 in the
LEEF header can be replaced with the exact version of your HPE Network Automation software. If you
change any other components of the format string, events might not normalize or unknown events might
occur.
|
- Click Save.