Configuring your FireEye system for communication with QRadar®

To enable FireEye to communicate with IBM QRadar, configure your FireEye appliance to forward syslog events.

Procedure

  1. Log in to the FireEye appliance by using the CLI.
  2. To activate configuration mode, type the following commands:

    enable

    configure terminal

  3. To enable rsyslog notifications, type the following command:

    fenotify rsyslog enable

  4. To add QRadar as an rsyslog notification consumer, type the following command:

    fenotify rsyslog trap-sink QRadar

  5. To specify the IP address for the QRadar system that you want to receive rsyslog trap-sink notifications, type the following command:

    fenotify rsyslog trap-sink QRadar address <QRadar_IP_address>

  6. To define the rsyslog event format, type the following command:

    fenotify rsyslog trap-sink QRadar prefer message format leef

  7. To save the configuration changes to the FireEye appliance, type the following command:

    write memory