Question & Answer
Question
This article includes common issues noticed by support when administrators integrate HP Tandem with QRadar.
Answer
Administrators who integrate HP Tandem events with QRadar should review the following tips before you attempt to configure your log source:
- Log File Size may vary based on the amount of events per file. Administrators must verify that a new file is created and that the HP Tandem system is not appending events to the same file on the FTP server. A new file should always be created, otherwise the file will be read from the beginning and duplicate events can be created in QRadar.
- Binary Data Files are transferred from the HP Tandem System into the FTP Server.
- During log file protocol connection we have a specific event generator parser set as "HPTANDEM"
- Supported Tandem Formats - The HP Tandem device supports multiple log types, which seem to be indicated by the file name. The only format we currently support is "SafeGuard Audit" events, which create files starting with the letter "A" followed by 7 digits, "a0000000".
- File pattern commonly used to retrieve files is a.* for files in the root log directory.
Where do you find more information?
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21980743