GitHubContribute in GitHub: Open doc issue|Edit online

Configuring QRadar monitoring

Configure QRadar monitoring to track security events, which are when an entry is added, modified, or deleted in the target IBM Security Directory Server.

Before you begin

Before you configure QRadar monitoring, you must ensure that the latest QRadar Direct Support Module (DSM) for Federated Directory Server is installed.

If you enabled Auto Update in your QRadar setup, QRadar automatically retrieves and installs new rpm files that are available when the system can access the internet. Hence, no action is required to obtain the Federated Directory Server DSM. See Configuring automatic update settings.

If the QRadar Auto Update feature is not enabled in your QRadar setup, you must obtain them the Federated Directory Server rpm files from IBM Fix Central and install it manually. Complete the following steps:

  1. Download the following rpm files from IBM Fix Central:

    • DSM-IBMFederatedDirectoryServer-version.noarch.rpm
    • DSM-IBMFederatedDirectoryServer-version.noarch.rpm

    For example:

    • DSM-IBMFederatedDirectoryServer-7.2-972015.noarch.rpm
    • DSM-IBMFederatedDirectoryServer-7.1-972017.noarch.rpm
  2. Install the rpm files on your QRadar console.

    1. Log in to the system shell as root.
    2. Change directory to the directory to where you copied the rpm files.
    3. Run the command, rpm -Uvh rpm_filename.
    4. After the rpm files are installed, open the QRadar web user interface.
    5. Click the Admin tab.
    6. Click the Deploy Changes.

    The QRadar Direct Support Module (DSM) for Federated Directory Server is installed.

  3. Configure the log source before events are received:

    1. Log in to QRadar.
    2. Click the Admin tab.
    3. In the navigation menu, click Data Sources.
    4. Click the Log Sources icon.
    5. Click Add. The Add a log source screen is displayed.
    6. Enter the log source configuration parameters.
    7. From the Log Source Type list, select IBM Federated Directory Server.
    8. From Protocol Configuration list, select Syslog.
    9. Enter the IP address or host name of the system that hosts Federated Directory Server, which appears in the syslog header of the events that are sent. If no header is being sent, use the IP address.
    10. Click Save to finish adding the log source.
    11. On the Admin tab, click Deploy Changes to deploy the new log source.

    Note: Auto-discovered log sources do not need to be deployed.

Procedure

  1. In the Federated Directory Server console navigation pane, under Common Settings, click Monitoring.

  2. On the Monitoring page, click the QRadar tab.

  3. On the QRadar page, select Enabled to indicate that you want to monitor security events.

  4. In the Hostname field, enter the host name or IP address of the QRadar server that must receive security events.

  5. In the Port field, enter the port number on which the QRadar server must receive Syslog events.

  6. From the Severity list, select the severity value for the Syslog event.

  7. From the Facility field, select the facility value for the Syslog event.

  8. In the Map file field, specify the path and file name of the map file sets up the various QRadar LEEF attributes for the event.

  9. Click Select... to browse for the map file. The default value points to the LDAPSync/QRadar.map file.

  10. Optional: In the Date format mask field, specify a standard Java SimpleDateFormat mask for date values that are written in mapped LEEF attributes.

    This value controls both the value of the devTimeFormat attribute and the formatting of date values in the event. The default value is the ISO 8601 standard mask, MMM dd yy HH:mm:ss, which creates a string like Oct 16 12 15:15:57.