Universal CEF
The IBM
QRadar DSM for Universal CEF accepts events from any device that produces events in the Common Event
Format (CEF).
The following table identifies the specifications for the Universal CEF DSM:
| Specification | Value |
|---|---|
| DSM name | Universal CEF |
| RPM file name | DSM-UniversalCEF-Qradar_version-build_number.noarch.rpm |
| Protocol | Syslog Log File |
| Event Format | Common Event Format (CEF). CEF:0 is supported. |
| Recorded event types | CEF-formatted events |
| Automatically discovered? | No |
| Includes identity? | No |
| Includes custom properties? | No |
To send events from a device that generates CEF-formatted events to QRadar, complete
the following steps:
- If automatic updates are not enabled, download and install the most recent
version of the following RPMs from the IBM® Support Website onto your QRadar
Console:
- DSMCommon RPM
- Universal CEF RPM
- Add a Universal CEF log source on the QRadar
Console. Use the following values that are specific to Universal
CEF:
Parameter Description Log Source Type Universal CEF Protocol Configuration Syslog or Log File - Configure your third-party device to send events to QRadar. For more information about how to configure your third-party device, see your vendor documentation.
- Configure event mapping for Universal CEF events.