Configuring your IBM Security Network IPS (GX) appliance for communication with QRadar

To collect events with QRadar, you must configure your IBM® Security Network IPS (GX) appliance to enable syslog forwarding of LEEF events.

Before you begin

Ensure that no firewall rules block the communication between your IBM Security Network IPS (GX) appliance and QRadar.

Procedure

  1. Log in to your IPS Local Management Interface.
  2. From the navigation menu, select Manage System Settings > Appliance > LEEF Log Forwarding.
  3. Select the Enable Local Log check box.
  4. In the Maximum File Size field, configure the maximum file size for your LEEF log file.
  5. From the Remote Syslog Servers pane, select the Enable check box.
  6. In the Syslog Server IP/Host field, type the IP address of your QRadar Console or Event Collector.
  7. In the TCP Port field, type 514 as the port for forwarding LEEF log events.
    Note: If you use v4.6.1 or earlier, use the UDP Port field.
  8. From the event type list, enable any event types that are forwarded to QRadar.
  9. If you use a TCP port, configure the crm.leef.fullavp tuning parameter:
    1. From the navigation menu, select Manage System Settings > Appliance > Tuning Parameters.
    2. Click Add Tuning Parameters.
    3. In the Name field, type crm.leef.fullavp.
    4. In the Value field, type true.
    5. Click OK.