Question & Answer
Question
A new security content pack is available for Stonesoft Management Center. This tech note outlines the changes and provides installation instructions for administrators.
Answer
Quick links
- What is in the Stonesoft Management Center content pack?
- How do I install a security content pack?
- I have additional questions, where can I go for more information?
What is in the Stonesoft Management Center content pack?
QRadar SIEM collects events from Stonesoft Management Center using syslog to collect system, IPS, Firewall, and VPN events. This security content pack contains one new custom event property for 'Product' to identify payloads that contains identifiers for Firewall, IPS, or Alert (system) events. The custom event property Product for Stonesoft Management Center has been optimized, which allows administrators to use the custom event property 'Product' in searches, reports, and rules.
New custom event properties added by the Stonesoft Management Center content pack
| Description | Regex for the custom event property |
| Product | \|(Firewall|IPS|Alert)\| |
The 'Product' identifier value typically appears in the header of the LEEF syslog message.
For example:
LEEF:1.0|Stonesoft|Firewall|5.4.0|EventID(name or numeric)
LEEF:1.0|Stonesoft|IPS|5.4.0|EventID(name or numeric)
LEEF:1.0|Stonesoft|Alert|5.4.0|EventID(name or numeric)
How do I install a security content pack?
To install a security content pack, an administrator must download the RPM from IBM Fix Central, then install the content pack on the Console appliance. The Console replicates the changes from the install of the content pack to all managed hosts in the deployment.
Procedure
- Download the Stonesoft Management Center security content pack from the IBM Fix Central website for your QRadar version:
- For QRadar 7.1: Link to all QRadar 7.1 Security Content Packs
- For QRadar 7.2: Link to all QRadar 7.2 Security Content Packs
- Using SSH, log in to your Console as the root user.
- Copy the security content pack to the /tmp directory on the QRadar Console. Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
- To install the security content pack, type one the following command:
- For QRadar 7.1, type: rpm -Uvh ContentPackage-CustomProperties-StonesoftManagementCenter-7.1-1435158875.x86_64.rpm
- For QRadar 7.2, type: rpm -Uvh ContentPackage-CustomProperties-StonesoftManagementCenter-7.2-1435158875.x86_64.rpm
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
Before you continue: Restarting the web server will restart the user interface and load the new custom event properties. This action will log out existing users, stop reports in progress, and halt event exports in process. It is recommended that administrators restart the user interface during a maintenance window for the appliance.
- Click Advanced > Restart Web Server.
- Click OK to restart the QRadar user interface.
Results
After the user interface restarts, the installation is complete.
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - 3rd Party","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
02 April 2020
UID
swg21962293