Configuring Raz-Lee iSecurity to communicate with QRadar

To collect security, compliance, and audit events, configure your Raz-Lee iSecurity installation to forward Log Event Extended Format (LEEF) syslog events to IBM QRadar.

Procedure

  1. Log in to the IBM i command-line interface.
  2. From the command line, type STRAUD to access the Audit menu options.
  3. From the Audit menu, select 81. System Configuration.
  4. From the iSecurity/Base System Configuration menu, select 32. SIEM 1.
  5. Configure the 32.SIEM 1 parameter values.
    Learn more about 32. SIEM 1 parameter values:
    Table 1. 32.SIEM 1 parameter values
    Parameter Value
    SIEM 1 name Type QRadar.
    Port Type the port that is used to send syslog messages. The default port is 514, which is the syslog standard.
    SYSLOG type Type 1 for UDP.
    Destination address Type the IP address for QRadar.
    Severity range to auto send

    Type a severity message level in the range of 0 - 7. For example, type 7 to send all syslog messages.
    Facility to use Type a syslog facility level in the range of 0 - 23.
    Message structure Type *LEEF.
    Convert data to CCSID

    Type 0 in the Convert data to CCSID field. This is the default character conversion.
    Maximum length Type 1024.
  6. From the iSecurity/Base System Configuration menu, select 31. Main Control.
  7. Configure the 31. Main Control parameter values.
    Learn more about 31. Main Control parameter values:
    Table 2. 31. Main Control parameter values
    Parameter Value
    Run rules before sending

    To process the events that you want to send, type Y.

    To send all events, type N.
    SIEM 1: QRadar® Type Y.
    Send JSON messages (for DAM) Type N.
    As only operation Type N.
  8. From the command line, to configure the Firewall options, type STRFW to access the menu options.
  9. From the Firewall menu, select 81. System Configuration.
  10. From the iSecurity (part 1) Global Parameters: menu, select 72. SIEM 1.
  11. Configure the 72.SIEM 1 parameter values.
    Learn more about 72. SIEM 1 parameter values:
    Table 3. 72.SIEM 1 parameter values
    Parameter Value
    SIEM 1 name Type QRadar.
    Port Type the port that is used to send syslog messages. The default port is 514, which is the Syslog standard.
    SYSLOG type Type 1 for UDP syslog type.
    Send in FYI mode Type N.
    Destination address Type the IP address for the QRadar console.
    Severity range to auto send

    Type a severity level in the range 0 - 7.
    Facility to use Type a facility level.
    Message structure Type *LEEF.
    Convert data to CCSID Type 0.
    Maximum length Type 1024.
  12. From the iSecurity (part 1) Global Parameters: menu, select 71. Main Control.
  13. Configure the 71. Main Control parameter values.
    Learn more about 71. Main Control parameter values:
    Table 4. 71. Main Control parameter values
    Parameter Value
    SIEM 1: QRadar Type 2.
    Send JSON messages (for DAM) Type 0.

Results

Syslog LEEF events that are forwarded by Raz-Lee iSecurity are automatically discovered by the QRadar DSM for IBM i. In most cases, the log source is automatically created in QRadar after a few events are detected.

If the event rate is low, you can manually configure a log source for Raz-Lee iSecurity in QRadar. Until the log source is automatically discovered and identified, the event type displays as Unknown on the Log Activity tab.