Announcement: New Knowledge Base

4 June 2020: We are pleased to announce the launch of a new Knowledge Base, Changelogs for Business Security Products, where you can find more details, such as bugfixes or new features, about the most recent releases of our business-related products.

IBM Qradar SIEM

Hi,

 

We are looking for the best way to integrate logs and alerts from our FSPM into IBM QRader SIEM.

 

Does someone have any experience with this. We really need advices.

I suppose we will need to use the following feature in our FSPM : Forward alerts to syslog

 

We already tried this in the past but the guy who is managing QRadar told us that received datas were not well parsed.

F-Secure is not present in the Qradar DSM Supported DSM vendor list

https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/r_supported_dsm_list.html

 

So is it a question for F-Secure or a question for IBM. Who is responsible? Who can provide the solution?

 

All your advice and documentation are welcome.

 

Best regards,

 

Vincent

Comments

  • jameschjamesch Posts: 144 Moderator

    Hi Vincent

     

    You can set Policy Manager to forward alerts to a third-party syslog server.

     

    Currently, both TCP and UDP transport protocols are supported.

     

    To configure alert forwarding:

      1. Select Tools > Server configuration from the menu.
      2. Click Syslog.
      3. Select Forward alerts to syslog and enter the server address.
        • By default, alerts are forwarded to syslog using UDP port number 514. If you want to use a different port, enter the port number after the server address, for example, example.com:8080.
      4. Select the message format.
        • Both Syslog (RFC 3614) and Common Event Format messages are supported.
      5. Click OK.

    Note - Customization is not possible on system logs configuration

    MonikaL
  • A-GrinkevitchA-Grinkevitch Posts: 162 F-Secure Employee

    Hi Vincent,

    Current PM versions support only Syslog (RFC 3614) and CEF (Common Event Format) to export data to SIEM systems, while IBM Qradar requires LEEF (Log Event Extended Format). We have plans to add LEEF support in next PM version. No ETA at the moment, but it should happen in H1 2020.

     

    Regards,

    Alex

    jamesch
  • _sonu_sonu Posts: 5

    Hello

    By default F secure is not included in IBM qradar, so your qradar admin should create parsing rule for f secure logs. Whatever values needs to be extracted.

    Also can help you to write parsing rules.

     

  • _sonu_sonu Posts: 5

    Hi

    But if I tries to forward using TCP, 

    FSP stops sending the logs and there are error in forwarding logs. Is it only with me and is there any solution.

  • A-GrinkevitchA-Grinkevitch Posts: 162 F-Secure Employee

    Hi Sonu,

    What is the error reported to fspms-alert-forwarding.log? If it is “java.net.ConnectException: Connection refused: connect” you need to specify in server address port configured in Qradar as TCP data input port.

    If it does not help, try UPD instead.

Sign In or Register to comment.