Sentrigo Hedgehog

You can integrate a Sentrigo Hedgehog device with IBM QRadar.

1. Log in to the Sentrigo Hedgehog command-line interface (CLI).
2. Open the following file for editing:

   <Installation directory>/conf/sentrigo-custom.properties

   Where <Installation directory> is the directory that contains your Sentrigo Hedgehog installation.

3. Add the following log.format entries to the custom properties file:
   Note: Depending on your Sentrigo Hedgehog configuration or installation, you might need to replace or overwrite the existing log.format entry.

   sentrigo.comm.ListenAddress=1996 
   log.format.body.custom=usrName=$osUser:20$|duser=$execUser:20$| 
   severity=$severity$|identHostName=$sourceHost$|src=$sourceIP$| 
   dst=$agent.ip$|devTime=$logonTime$|
   devTimeFormat=EEE MMM dd HH:mm:ss z yyyy|
   cmdType=$cmdType$|externalId=$id$| 
   execTime=$executionTime.time$|
   dstServiceName=$database.name:20$|
   srcHost=$sourceHost:30$|execProgram=$execProgram:20$| 
   cmdType=$cmdType:15$|oper=$operation:225$| 
   accessedObj=$accessedObjects.name:200$

   log.format.header.custom=LEEF:1.0|
   Sentrigo|Hedgehog|$serverVersion$|$rules.name:150$| 
   log.format.header.escaping.custom=\\| 
   log.format.header.seperator.custom=, 
   log.format.header.escape.char.custom=\\ 
   log.format.body.escaping.custom=\= 
   log.format.body.escape.char.custom=\\ 
   log.format.body.seperator.custom=| 
   log.format.empty.value.custom=NULL 
   log.format.length.value.custom=10000 
   log.format.convert.newline.custom=true

4. Save the custom properties file.
5. Stop and restart your Sentrigo Hedgehog service to implement the log.format changes.

   You can now configure the log source in QRadar.

6. To configure QRadar to receive events from a Sentrigo Hedgehog device: From the Log Source Type list, select the Sentrigo Hedgehog option.

   For more information about Sentrigo Hedgehog see your vendor documentation.