To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.


_Vincent_ W/ Alumni Posts: 14 Security Scout



We are looking for the best way to integrate logs and alerts from our FSPM into IBM QRader SIEM.


Does someone have any experience with this. We really need advices.

I suppose we will need to use the following feature in our FSPM : Forward alerts to syslog


We already tried this in the past but the guy who is managing QRadar told us that received datas were not well parsed.

F-Secure is not present in the Qradar DSM Supported DSM vendor list


So is it a question for F-Secure or a question for IBM. Who is responsible? Who can provide the solution?


All your advice and documentation are welcome.


Best regards,




  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 522 Moderator

    Hi Vincent


    You can set Policy Manager to forward alerts to a third-party syslog server.


    Currently, both TCP and UDP transport protocols are supported.


    To configure alert forwarding:

      1. Select Tools > Server configuration from the menu.
      2. Click Syslog.
      3. Select Forward alerts to syslog and enter the server address.
        • By default, alerts are forwarded to syslog using UDP port number 514. If you want to use a different port, enter the port number after the server address, for example,
      4. Select the message format.
        • Both Syslog (RFC 3614) and Common Event Format messages are supported.
      5. Click OK.

    Note - Customization is not possible on system logs configuration

  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Hi Vincent,

    Current PM versions support only Syslog (RFC 3614) and CEF (Common Event Format) to export data to SIEM systems, while IBM Qradar requires LEEF (Log Event Extended Format). We have plans to add LEEF support in next PM version. No ETA at the moment, but it should happen in H1 2020.




  • _sonu
    _sonu W/ Alumni Posts: 5 Security Scout


    By default F secure is not included in IBM qradar, so your qradar admin should create parsing rule for f secure logs. Whatever values needs to be extracted.

    Also can help you to write parsing rules.


  • _sonu
    _sonu W/ Alumni Posts: 5 Security Scout


    But if I tries to forward using TCP, 

    FSP stops sending the logs and there are error in forwarding logs. Is it only with me and is there any solution.

  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Hi Sonu,

    What is the error reported to fspms-alert-forwarding.log? If it is “ Connection refused: connect” you need to specify in server address port configured in Qradar as TCP data input port.

    If it does not help, try UPD instead.

This discussion has been closed.