To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

IBM Qradar SIEM

_Vincent_
_Vincent_ Posts: 14 Security Scout
in Business Suite

Hi,

 

We are looking for the best way to integrate logs and alerts from our FSPM into IBM QRader SIEM.

 

Does someone have any experience with this. We really need advices.

I suppose we will need to use the following feature in our FSPM : Forward alerts to syslog

 

We already tried this in the past but the guy who is managing QRadar told us that received datas were not well parsed.

F-Secure is not present in the Qradar DSM Supported DSM vendor list

https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/r_supported_dsm_list.html

 

So is it a question for F-Secure or a question for IBM. Who is responsible? Who can provide the solution?

 

All your advice and documentation are welcome.

 

Best regards,

 

Vincent

Comments

  • JamesC
    JamesC Staff, Moderator Posts: 559 W/ Moderator

    Hi Vincent

     

    You can set Policy Manager to forward alerts to a third-party syslog server.

     

    Currently, both TCP and UDP transport protocols are supported.

     

    To configure alert forwarding:

      1. Select Tools > Server configuration from the menu.
      2. Click Syslog.
      3. Select Forward alerts to syslog and enter the server address.
        • By default, alerts are forwarded to syslog using UDP port number 514. If you want to use a different port, enter the port number after the server address, for example, example.com:8080.
      4. Select the message format.
        • Both Syslog (RFC 3614) and Common Event Format messages are supported.
      5. Click OK.

    Note - Customization is not possible on system logs configuration

  • A_Grinkevitch
    A_Grinkevitch Posts: 169 Threat Terminator

    Hi Vincent,

    Current PM versions support only Syslog (RFC 3614) and CEF (Common Event Format) to export data to SIEM systems, while IBM Qradar requires LEEF (Log Event Extended Format). We have plans to add LEEF support in next PM version. No ETA at the moment, but it should happen in H1 2020.

     

    Regards,

    Alex

  • _sonu
    _sonu Posts: 5 Security Scout

    Hello

    By default F secure is not included in IBM qradar, so your qradar admin should create parsing rule for f secure logs. Whatever values needs to be extracted.

    Also can help you to write parsing rules.

     

  • _sonu
    _sonu Posts: 5 Security Scout

    Hi

    But if I tries to forward using TCP, 

    FSP stops sending the logs and there are error in forwarding logs. Is it only with me and is there any solution.

  • A_Grinkevitch
    A_Grinkevitch Posts: 169 Threat Terminator

    Hi Sonu,

    What is the error reported to fspms-alert-forwarding.log? If it is “java.net.ConnectException: Connection refused: connect” you need to specify in server address port configured in Qradar as TCP data input port.

    If it does not help, try UPD instead.

This discussion has been closed.

Categories