Configuring LEEF log forwarding (syslog)

Use the LEEF Log Forwarding (syslog) page on the Network IPS appliance to send event data to a security incident event manager (SIEM) by using the log event extended format (LEEF).

About this task

When this feature is enabled, the appliance converts security alert (including IPS and SNORT), health alert, and system alert events into LEEF for transmission to a SIEM. You can retrieve the LEEF log file from the IPS Local Management Interface at Review Analysis and Diagnostics > Downloads > Logs and Packet Captures. The log file is also at /var/iss/leef.log.
Note: IPS events include events from the security events, connection events, user-defined events, and OpenSignatures policies.

This feature was tested with the QRadar SIEM developed by Q1 Labs. You must update the QRadar SIEM to the newest version for some integration features to work. For more information, go to http://q1labs.com. Q1 Labs customers can go to http://partners.q1labs.com and sign in to DocCentral to view the documentation.

Navigating in the IPS Local Management Interface: Manage System Settings > Appliance > LEEF Log Forwarding (syslog)

Navigating in SiteProtector™ Management: select the LEEF Log Forwarding (syslog) policy

Procedure

  1. In the Local Log area, complete the following tasks.
    1. Click the Enable Local Log check box.
    2. Set the maximum file size for the LEEF log file in the Maximum File Size field.
  2. In the Remote Syslog Servers area, complete the following tasks for the SIEM.
    1. To configure the appliance to send the LEEF log to the SIEM, click the Enable check box.
    2. In the Syslog Server IP/Host field, type the IPv4 address, IPv6 address, or FQDN for the SIEM.
    3. In the UDP Port field, enter the port number that communicates with the SIEM.
    4. Enable the types of events that the appliance sends to the SIEM. Options include Security Event, System Event, and Health Event.