IBM Security QRadar DSM Integration Guide

This document describes how to configure IBM Security QRadar to collect syslog events from your WatchGuard Firebox.

IBM Security QRadar uses a plugin file called a DSM (Device Support Module) to collect syslog events. For information about DSM, please refer to IBM QRadar documention.

Test Topology

This diagram shows the test topology for this integration. You can use either a trusted or optional interface.

IBM security QRadar integration topology

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox with Fireware v12.4.1
  • IBM QRadar v7.3.1 bulid 20180912181210

Configure the Firebox to Send Log Messages to QRadar

To collect events from Fireware OS, you must configure your Firebox to send events to QRadar. You can use Policy Manager or Fireware Web UI to make the changes. The steps in this integration guide use Fireware Web UI.

You must have Device Administrator access credentials for the Firebox.

  1. Log in to Fireware Web UI (https://<your Firebox IP address or domain name>:8080).
  2. Select System > Logging.
  3. Select the Syslog Server tab.
  4. Check the Send log messages to these syslog servers check box.

Screen shot of the Logging page, Syslog Server tab

  1. Click Add.
    The Syslog Server dialog box appears.
  2. In the IP Address text box, type the IP address for the QRadar Console or Event Collector.
  3. In the Port text box, type 514.
  4. From the Log Format drop-down list, select IBM LEEF.
  5. To include the Firebox serial number in the log message details, select this check box: The serial number of the device.
  6. To include the syslog header in the log message details, select this check box: The syslog header.
  7. In the Syslog Settings section, select one of the syslog facilities for each type of log message.
  • For high priority syslog messages, such as Alarms, select Local0
  • To assign priorities to other types of log messages, select an option from Local1 through Local7 (lower numbers have higher priority)
  • To not send details for a log message type, select NONE

Screen shot of the Syslog Server settings

  1. Click OK.
    The server is added to the list.
  2. Click Save.

Configure a WatchGuard Fireware OS Log Source in QRadar

If your QRadar Console does not automatically discover the WatchGuard Fireware OS log source, use these steps to add the Firebox as a data source.

  1. Log in to QRadar.
  2. Click the menu bar icon in the upper left corner.
  3. Click the Admin tab.
  4. From the navigation menu, select Data Sources.

Screen shot of QRadar, admin, data sources

  1. Click the Log Sources icon.
  2. Click Add.
  3. From the Log Source Type drop-down list, select WatchGuard Fireware OS.
  4. From the Protocol Configuration drop-down list, select Syslog.
  5. In the Log Source Identifier text box, type the IP address or host name of the Firebox.
  6. In the Log Source Name text box, type the object name. In our example, the name is watchguard.
  7. Leave other settings at default values.

Screen shot of QRadar, log sources configuration

  1. Click Save.

Test the Integration

  1. Log in to QRadar.
  2. Click Log Activity.
  3. In the Viewing real time events section, from the View drop-down list, select an option. In the example below, the selected option is Last 30 Minutes.
  4. Click on Log Source to sort and find the name of the log source you added. In this example it is watchguard.

screen shot of QRadar, syslog

  1. To see detailed information about an event, double-click the log message.

Screen shot of QRadar,syslog1