Syslog Parameters

The syslog standards, LEEF and CEF send data in Field mode enabling pairs of data to be displayed, i.e. Field name and Field value. QHST, QSYSOPR and others in the message queue are supported in LEED and CEF field mode. UDP, TCP and TLS (encrypted) protocols are supported and once the settings are turned on, the SIEM can intercept the message and make it legible for the Syslog Admin. Standard message support for edited messages and replacement values exist, enabling sending information in any free format as well as LEEF and CEF.

To send syslog messages for SIEM:

1. Select 30. Main Control from the iSecurity/Base System Configuration screen (STRAUD > 81 > 30). The Main Control for SIEM & DAM screen appears.

​ ​

​                         ​ Main Control for SIEM & DAM​        ​ 23⁄07⁄19​ 11:48:50​                                                                                   ​ Run rules before sending  . . .​    ​ N​         ​ Y=Yes, N=No               ​                                                                                        ​ Send SYSLOG Messages to SIEM​                                                    ​ SIEM 1:​ kiwi      ​  . . . . . .​    ​ N​         ​ Y=Yes, N=No, A=Action only​       ​ SIEM 2:​ VictorPC  ​  . . . . . .​    ​ Y​         ​ Y=Yes, N=No, A=Action only​       ​ SIEM 3:​ QRADAR    ​  . . . . . .​    ​ N​         ​ Y=Yes, N=No, A=Action only​       ​ Use Action-Only to send syslog messages from Action, without QAUDJRN info.   ​   ​ To increase performance, add SIEM Processors by ADDAJE JOB(AU..n) n=SIEM ID.​    ​ Send JSON messages (for DAM). .​    ​ N​         ​ Y=Yes, N=No               ​                                                                                        ​ As only operation . . . . . . .​    ​ N​         ​ Y=Yes, N=No               ​       ​ If Y, information is​ not​ collected, and no other functionality is performed.  ​                                                                                   ​ Skip info if SIEM is inactive .​    ​ Y​         ​ Y=Yes, N=No​                      ​ Y is recommended, unless it is the only operation.                            ​                                                                                                                                                                                                                                                                                                                                      ​ Note: Re-activate subsystem after changes.​                                      ​ F3=Exit​  ​ F12=Cancel​                                                            ​                                                                                 ​

​

​

Parameter	Description
Run rules before sending	Y = Yes N = No
Send SYSLOG messages to SIEM	Y = Yes N = No A = Action only; Use Action-Only to send syslog messages from Action, without QAUDJRN info.
Send JSON messages (for DAM)	Y = Yes; Y is recommended, unless it is the only operation. N = No
As only operation	Y = Yes; If Y, information is not collected, and no other functionality is performed. N = No
Skip info if SIEM is inactive	Y = Yes; Y is recommended, unless it is the only operation. N = No

2. Enter the required parameters and press Enter.