FireEye
The IBM QRadar DSM for FireEye accepts syslog events in Log Event Extended Format (LEEF) and Common Event Format (CEF).
This DSM applies to FireEye CMS, MPS, EX, AX, NX, FX, and HX appliances. QRadar records all relevant notification alerts that are sent by FireEye appliances.
The following table identifies the specifications for the FireEye
DSM.
Specification | Value |
---|---|
Manufacturer | FireEye |
DSM name | FireEye MPS |
Supported versions | CMS, MPS, EX, AX, NX, FX, and HX |
RPM file name | DSM-FireEyeMPS-QRadar_version-Build_number.noarch.rpm |
Protocol | Syslog and TLS Syslog |
Event Format | Common Event Format (CEF). CEF:0 is supported. |
QRadar recorded event types | All relevant events |
Auto discovered? | Yes |
Includes identity? | No |
More information | FireEye website (www.fireeye.com) |
To integrate FireEye with QRadar,
use the following procedures:
- If automatic updates are not enabled, download and install the DSM Common and FireEye MPS RPM from the IBM® Support Website onto your QRadar Console.
- Download and install the latest TLS Syslog Protocol RPM on QRadar.
- For each instance of FireEye in your deployment, configure the FireEye system to forward events to QRadar.
- For each instance of FireEye, create an FireEye log source on the QRadar Console. The following
tables explain how to configure a log source in Syslog and TLS Syslog for FireEye.
Table 2. Configuring the Syslog log source protocols for FireEye Parameter Description Log Source Type FireEye Protocol Configuration Syslog Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your device. Look at Adding a log source for more common parameters that occur in Syslog and TLS Syslog protocol configuration options for more TLS Syslog protocol-specific parameters and their configurations.Table 3. Configuring the TLS Syslog log source protocols for FireEye Parameter Description Log Source Type FireEye Protocol Configuration TLS Syslog Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your device. TLS Listen Port The default TLS listen port is 6514. Authentication Mode The mode by which your TLS connection is authenticated. If you select the TLS and Client Authentication option, you must configure the certificate parameters. Certificate Type The type of certificate to use for authentication. If you select the Provide Certificate option, you must configure the file paths for the server certificate and the private key. Provided Server Certificate Path The absolute path to the server certificate. Provided Private Key Path The absolute path to the private key. Note: The corresponding private key must be a DER-encoded PKCS8 key. The configuration fails with any other key format.Maximum Connections The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector.
The connection limit across all TLS syslog log source configurations is 1000 connections for each Event Collector. The default for each device connection is 50.
Note: Automatically discovered log sources that share a listener with another log source, such as if you use the same port on the same event collector, count only one time towards the limit.