IBM Support

QRadar: How to configure non-default events for the IBM Guardium DSM

Question & Answer


Can Guardium send events that are not included in the Guardium DSM to IBM QRadar?


Guardium requires a defined policy to alert on data that needs to be forwarded to QRadar. The rule action would be 'Alert Only'. With Alert, you can create a LEEF template so they can be sent to QRadar to be parsed. For example, a user may want to alert on any Microsoft Data Definition Language Statements that are run. The user would configure Guardium with an 'Alert Only' rule action with Syslog as the receiver. Guardium would then forward the data to QRadar.

Since these events will not be understood by the default Guardium DSM a Log Source extension will need to be created to assist with parsing the events.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Events","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018