Configuring HPE Network Automation Software to communicate with QRadar

Configure HPE Network Automation Software to send LEEF events to IBM QRadar.

Before you begin

You must have administrator access to the HPE Network Automation Software user interface.

Procedure

  1. Log in to the HPE Network Automation Software user interface.
  2. In the Admin menu, select Event Notification & Response Rules.
  3. Click New Event Notification & Respone Rule.
  4. Configure the parameters for HPE Network Automation.

    The following table describes the parameter values to send LEEF events to QRadar:

    Parameter Value
    Add Email and Event Rule named You can use any string. For example, QRadar_logs.
    To take this action

    Select Send Syslog Message from the list.

    When the following events occur
    1. Select all of the events.
    2. Enable the of any importance button.
    3. To take action for For Policy No-Compliance events, enable the for all policies button.
    Rule Status Enable the Active button.
    Syslog Hostname QRadar host name or IP address.
    Syslog Port 514
    Syslog Message
    LEEF:1.0|HP|Network Automation|v10|$EventType$|devTime=$EventDate$	devTimeFormat=EEE MMM dd HH:mm:ss Z yyyy	src=$IPAddress$ eventId=$EventID$	usrName=$EventUserName$	eventText=$EventText$
    Tip: All event attributes are tab delimited. For example, devTime, devTimeFormat, and more. Copy the Syslog Message value into a text editor, and then verify that the attributes are tab delimited and remove any new line characters.

    The version number v10 in the LEEF header can be replaced with the exact version of your HPE Network Automation software. If you change any other components of the format string, events might not normalize or unknown events might occur.

  5. Click Save.