I have trouble configuring the events auditing when trying to forward them to a syslog in an IBM Security QRadar SIEM. Customer is not receiving the desired ones (zone configured to be audited with defaults events: create, delete, get_security and close. Customer receives the messages we can see with ‘tcpdump -i vlan1 -v port 514’ which are not related with the configured zone and desired events.
Checked that events are being auditted for selected zone with command: isi_audit_viewer -t protocol
We can see with ‘isi audit settings view’ that zone is properly configured, although field ‘CEE Server URIs’ is not filled because it is not a CEE.
ISILON-…# isi audit settings view
Protocol Auditing Enabled: Yes
Audited Zones: … (not shown per security)
CEE Server URIs: (not filled as it is not a CEE – i tried with IP of the server and several warning events were received because “servir is unavailable”)
Config Auditing Enabled: Yes
Config Syslog Enabled: Yes
ISILON-…1# isi_log_server list
I have also manually edited file ‘etc/mcp/templates/syslog.conf’ adding the desired syslog server, following KB 304052.
The questions here are:
– Is there anything we are missing to properly configur the audit of the events?
– Is possible to send the syslog events to a IBM Security QRadar SIEM or a CEE in a Windows needs to be installed?
Thanks in advance!