We are looking for the best way to integrate logs and alerts from our FSPM into IBM QRader SIEM.
Does someone have any experience with this. We really need advices.
I suppose we will need to use the following feature in our FSPM : Forward alerts to syslog
We already tried this in the past but the guy who is managing QRadar told us that received datas were not well parsed.
F-Secure is not present in the Qradar DSM Supported DSM vendor list
So is it a question for F-Secure or a question for IBM. Who is responsible? Who can provide the solution?
All your advice and documentation are welcome.
You can set Policy Manager to forward alerts to a third-party syslog server.
Currently, both TCP and UDP transport protocols are supported.
To configure alert forwarding:
Note - Customization is not possible on system logs configuration
Current PM versions support only Syslog (RFC 3614) and CEF (Common Event Format) to export data to SIEM systems, while IBM Qradar requires LEEF (Log Event Extended Format). We have plans to add LEEF support in next PM version. No ETA at the moment, but it should happen in H1 2020.
By default F secure is not included in IBM qradar, so your qradar admin should create parsing rule for f secure logs. Whatever values needs to be extracted.
Also can help you to write parsing rules.
What is the error reported to fspms-alert-forwarding.log? If it is “java.net.ConnectException: Connection refused: connect” you need to specify in server address port configured in Qradar as TCP data input port.
If it does not help, try UPD instead.
Visit the Community
Check our Forums or How-to & FAQs for advice or answers
View User Guides
Refer to our getting started guides and product manuals
Talk to our Support and get answers to your questions