Configuring an SSH CryptoAuditor appliance to communicate with QRadar

To collect SSH CryptoAuditor events, you must configure your third-party appliance to send events to IBM QRadar.

1. Log in to SSH CryptoAuditor.
2. Go to the syslog settings in Settings > External Services > External Syslog Servers.
3. To create server settings for QRadar, click Add Syslog Server.
4. Type the QRadar server settings: address (IP address or FQDN) and port in which QRadar collects log messages.
5. To set the syslog format to Universal LEEF, select the Leef format check box.
6. To save the configuration, click Save.
7. Configure SSH CryptoAuditor alerts in Settings > Alerts. The SSH CryptoAuditor alert configuration defines which events are sent to external systems (email or SIEM/syslog).
   1. Select an existing alert group, or create new alert group by clicking Add alert group.
   2. Select the QRadar server that you defined earlier in the External Syslog Server drop box.
   3. If you created a new alert group, click Save. Save the group before binding alerts to the group.
   4. Define which alerts are sent to QRadar by binding alerts to the alert group. Click [+] next to the alert that you want to collect in QRadar, and select the alert group that has QRadar as external syslog server. Repeat this step for each alert that you want to collect in QRadar.
   5. Click Save.
8. Apply the pending configuration changes. The saved configuration changes do not take effect until you apply them from pending state.