IBM Support

Configuring the IBM Security Network Protection (XGS) remote syslog to send events to QRadar SIEM

Question & Answer


Question

How do you configure XGS remote syslog for IPS objects from the SiteProtector Console and Local Management Interface (LMI)?

Answer

XGS remote syslog to send events to QRadar SIEM (4:57)
This video is a demonstration on how to configure the XGS remote syslog to send events to QRadar from the SiteProtector Console and Local Management Interface.

You can configure remote syslog for the IPS objects in both, the SiteProtector Console and the LMI, from the Network Access Policy (NAP) or the Shared Objects one.


SiteProtector Network Access Policy configuration:
 
  1. Log in to the SiteProtector Console and change to the Agent view.
     
  2. Right-click on the XGS entry in the SiteProtector Console Agent view and select Manage to open the Policy tab.
     
  3. Right-click on the Network Access Policy and select Open, edit the Network Access Rule you want to enable remote Syslog for, and go to the Response tab.
     
  4. If a remote Syslog object rule is not present, you can create a new one by selecting New > Remote Syslog.
     
  5. Set Remote Syslog rule and make sure you check QRadar Format Enabled.
     
  6. Move it from the Available Objects to the Added Objects by selecting it and clicking on the right arrow button.
     
  7. Save Configuration and Deploy the policy.
     
LMI Network Access Policy configuration:
 
  1. Log in to the LMI using the admin account.
     
  2. Go to Secure Policy Configuration menu and select the Network Access Policy.
     
  3. Select the desired Network Access Rule and choose Edit on the top menu.
     
  4. Go to the Responce tab and Edit an existing Remote Syslog entry or create a new one from New > Remote Syslog.
     
  5. Set Remote Syslog rule and make sure you check QRadar Format Enabled.
     
  6. Move it from the Available Objects to the Added Objects by selecting it and clicking on the right arrow button.
     
  7. Save Configuration and Deploy the policy.


SiteProtector Shared Objects policy configuration:
 
  1. Log in to the SiteProtector Console and change to the Agent view.
     
  2. Right-click on the XGS entry in the SiteProtector Console Agent view and select Manage to open the Policy tab.
     
  3. Navigate to the Shared Objects policy (expand the existing Group > Default Repository > Shared Objects), then right-click on and Open the Intrusion Prevention policy you want to add remote Syslog to.

    Note: Expand the left panel menu if the IPS Objects are not displayed.
     
  4. In the left panel, select on the existing IPS object (or create a new one from New > Inspection > Intrusion prevention), and choose Edit on the top menu.
     
  5. In the Edit IPS Object window, choose the Response tab and click Edit to change an existing object rule or add a new one from New > Remote Syslog.
     
  6. Set Remote Syslog rule and make sure you check QRadar Format Enabled.
     
  7. Move it from the Available Objects to the Added Objects by selecting it and clicking on the right arrow button.
     
  8. Save Configuration and Deploy the policy.

[{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"General Information","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.3.2;5.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"ARM Category":[{"code":"a8m500000008YQ6AAM","label":"ATS-Infrasec->Network XGS->Install"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
08 February 2021

UID

swg21662575

Page Feedback