Create remote system log alert objects to add a record to the remote log file when a
network access policy rule, an intrusion prevention rule, an IPS event filter rule, an advanced
threat policy, or an OpenSignature policy is triggered. You can also configure remote syslog alert
objects to enable the appliance to record system events in a remote log
file.
About this task
If the connection to the remote syslog server drops, the IBM QRadar
Network Security appliance
generates a System Alert. If you are using TCP protocol, the appliance writes the events to
an offline storage file. When the connection is restored, events stored in this file are
sent to the remote syslog server. If the connection is not restored before the storage file
exceeds 10MB, any additional events are dropped. The Network Security appliance
generates another System Alert when the connection is reestablished.
Navigating in the Local Management Interface: Use one of the following paths to navigate
to the policy or to the page where you want to create a response object:
Navigating in the
SiteProtector™ System:
- Select the Policy view.
- In the My Sites pane, expand the Locally Configured Agents
menu item, and then select your Network Security
agent.
- In the Local Policies pane, select one of the following options:
- Network Access Policy
- Intrusion Prevention Policy
- IPS Event Filter Policy
- Advanced Threat Policy
- OpenSignature Policy
- SiteProtectorManagement
- Management Access Policy
- System Alerts
- Click .
Note: If you migrated your policy to
another repository in the SiteProtector System,
open the policy from that location.
Procedure
- From one of the following locations, begin to add or edit a remote syslog alert
object:
Location |
Options |
Network Objects or IPS Objects pane |
- Click to create a remote syslog alert object.
- Expand , select an existing remote syslog alert object, and then click
Edit to edit it.
|
ATP Objects pane |
- Click to create a remote syslog alert object.
- Expand , select an existing remote syslog alert object, and then click
Edit to edit it.
|
System Alerts page |
- Click to create a remote syslog alert object.
- In the Added Objects or Available Objects pane, select an
existing remote syslog alert object, and then click Edit
to edit it.
|
Tip: You can also create or edit network objects when you configure a
network access policy rule.
- In the Add or Edit Remote Syslog Object window,
configure the following options:
Option |
Description |
Name |
Specifies a meaningful name for
the response. |
Remote Syslog Collector |
Specifies the fully qualified domain name or IP address of
the host on which you want to save the log. Note: The host must be
accessible to the appliance.
|
Remote Syslog Collector Port |
Specifies the custom port that is used to connect to the syslog collector. The default is
514. |
Remote Syslog Collector Protocol |
Specifies the protocol that is used to connect to the syslog collector. Note: If
you select TCP protocol, and the appliance loses the connection to the remote syslog
server, some event data could be dropped.
|
QRadar Format Enabled |
Enables the appliance to send events in QRadar LEEF format
instead of RFC5424 remote syslog format. |
Comment |
A comment that identifies the remote syslog alert object. |
- Click Save Configuration.
What to do next
After you configure a remote syslog alert object, perform one of the following actions so
that the appliance initiates the response when specified events occur:
- Add the object to one or more rules in a policy
- Add the object to the Added Objects pane on the System Alerts
page
Note: After you create or edit alert objects that are used by a rule in a policy, you
must deploy the updated policy for the changes to take effect.