Configuring Cisco WiSM to forward events

You can configure Cisco WiSM to forward syslog events to IBM QRadar.

Procedure

  1. Log in to the Cisco Wireless LAN Controller user interface.
  2. Click Management > Logs > Config.

    The Syslog Configuration window is displayed.

  3. In the Syslog Server IP Address field, type the IP address of the QRadar host that receives the syslog messages.
  4. Click Add.
  5. Using the Syslog Level list, set the severity level for filtering syslog messages to the syslog servers by using one of the following severity levels:
    • Emergencies - Severity level 0
    • Alerts - Severity level 1 (Default)
    • Critical - Severity level 2
    • Errors - Severity level 3
    • Warnings - Severity level 4
    • Notifications - Severity level 5
    • Informational - Severity level 6
    • Debugging - Severity level 7

    If you set a syslog level, only those messages whose severity level is equal to or less than the selected syslog level are sent to the syslog server. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is 0 - 4 are sent to the syslog servers.

  6. From the Syslog Facility list, set the facility for outgoing syslog messages to the syslog server by using one of the following facility levels:
    • Kernel - Facility level 0
    • User Process - Facility level 1
    • Mail - Facility level 2
    • System Daemons - Facility level 3
    • Authorization - Facility level 4
    • Syslog - Facility level 5 (default value)
    • Line Printer - Facility level 6
    • USENET - Facility level 7
    • Unix-to-Unix Copy - Facility level 8
    • Cron - Facility level 9
    • FTP Daemon - Facility level 11
    • System Use 1 - Facility level 12
    • System Use 2 - Facility level 13
    • System Use 3 - Facility level 14
    • System Use 4 - Facility level 15
    • Local Use 0 - Facility level 16
    • Local Use 1 - Facility level 17
    • Local Use 2 - Facility level 18
    • Local Use 3 - Facility level 19
    • Local Use 4 - Facility level 20
    • Local Use 5 - Facility level 21
    • Local Use 6 - Facility level 22
    • Local Use 7 - Facility level 23
  7. Click Apply.
  8. From the Buffered Log Level and the Console Log Level lists, select the severity level for log messages sent to the controller buffer and console by using one of the following severity levels:
    • Emergencies - Severity level 0
    • Alerts - Severity level 1
    • Critical - Severity level 2
    • Errors - Severity level 3 (default value)
    • Warnings - Severity level 4
    • Notifications - Severity level 5
    • Informational - Severity level 6
    • Debugging - Severity level 7

    If you set a logging level, only those messages whose severity is equal to or less than that level are logged by the controller. For example, if you set the logging level to Warnings (severity level 4), only those messages whose severity is 0 - 4 are logged.

  9. Select the File Info check box if you want the message logs to include information about the source file. The default value is enabled.
  10. Select the Proc Info check box if you want the message logs to include process information. The default value is disabled.
  11. Select the Trace Info check box if you want the message logs to include trace back information. The default value is disabled.
  12. Click Apply to commit your changes.
  13. Click Save Configuration to save your changes.

    The configuration is complete. The log source is added to QRadar as Cisco WiSM events are automatically discovered. Events that are forwarded by Cisco WiSM are displayed on the Log Activity tab of QRadar.