IBM Support

Configuring IBM InfoSphere Guardium to send alerts and reports to Arcsight

Question & Answer


Question

How do you configure IBM InfoSphere Guardium to send alerts and reports to your Arcsight server?

Answer

Follow these steps to configure Guardium with Arcsight for Alerts, syslog, and Reports forwarding.

1) Verify Named Template for Arcsight exists.
Go to Administration Console/Global Profile/Named Template
click Edit
select Arcsight from the Named Template Finder window
click Modify
Make sure the following fields are set:
Template Name: Arcsight
Template type: RT_ALERT
Message Template: it should have a default template (leave it like this)
click Save if changes were made
click Back
click in the apply button in Global Profile to apply the changes. If the Apply button is greyed out, click inside any of the white boxes to enable it first, then click Apply.


2) configure syslog forwarding using command:

store remotelog add facility.priority host[:port] <tcp|udp>

where host[:port] <tcp|udp> corresponds to your Arcsight server information

facility.priority depends on which subset of syslog messages you want to forward to Arcsight. You can see the complete list of possible values for facility.priority in the Appendices Help book manual.
Examples of facility are: all, auth, authpriv, cron, daemon, ftp, kern, local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, mark, news, security, Syslog, user, uucp.
Examples of priority are: alert, all, crit, debug, emerg, err, info, notice, warning.

Example: Most of the messages coming from Guardium are from facility=daemon so for example if you want to forward all Guardium messages you'll use:

store remotelog add daemon.all <your Arcsight hostname>

or if you want to forward only the critical Guardium errors:

store remotelog add daemon.err <your Arcsight hostname>

If you want to forward to Arcsight ANY messages from the appliance syslog file, including Guaridum and system (ie. non Guardium-specific) messages) you could do this:

store remotelog add all.all <your Arcsight hostname>


3) Configure your alerts to go to Arcsight. In your Alert Definition, select:
Message Template: Arcsight
Notification Type: SYSLOG


For example, here is a screen shot of an alert for one of the rules in my policy configured to forward the alert to syslog which consequently will forward it to Arcsight (as configured by you per previous step)

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"9.1;9.0;8.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21605698