Re: Forward auditing events: is it possible to a IBM Security QRadar SIEM?

Hi all,

I have trouble configuring the events auditing when trying to forward them to a syslog in an IBM Security QRadar SIEM. Customer is not receiving the desired ones (zone configured to be audited with defaults events: create, delete, get_security and close. Customer receives the messages we can see with ‘tcpdump -i vlan1 -v port 514’ which are not related with the configured zone and desired events.

Checked that events are being auditted for selected zone with command: isi_audit_viewer -t protocol

We can see with ‘isi audit settings view’ that zone is properly configured, although field ‘CEE Server URIs’ is not filled because it is not a CEE.

ISILON-…# isi audit settings view

Protocol Auditing Enabled: Yes

Audited Zones: … (not shown per security)

CEE Server URIs: (not filled as it is not a CEE – i tried with IP of the server and several warning events were received because “servir is unavailable”)

Hostname:

Config Auditing Enabled: Yes

Config Syslog Enabled: Yes

ISILON-…1# isi_log_server list

LOGSERVER FILTER

XX.XX.XX.XX *.warn;*.notice;kern.*;ifs.info;istat.non

I have also manually edited file ‘etc/mcp/templates/syslog.conf’ adding the desired syslog server, following KB 304052.

The questions here are:

– Is there anything we are missing to properly configur the audit of the events?

– Is possible to send the syslog events to a IBM Security QRadar SIEM or a CEE in a Windows needs to be installed?

Thanks in advance!

José Sastre

Related:

Leave a Reply