Transcription

IBM Security QRadarVersion 7.2.1DSM Configuration Guide

Note: Before using this information and the product that it supports, read the information in “Notices andTrademarks” on page page 769. Copyright IBM Corp. 2013 All Rights Reserved US Government Restricted Rights - Use, duplication ordisclosure restricted by GSA ADP Schedule Contract with IBM Corp.

CONTENTSABOUT THIS GUIDEIntended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Technical documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Contacting customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Statement of good security practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141OVERVIEW2INSTALLING DSMSScheduling Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Viewing updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Manually installing a DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2033COM 8800 SERIES SWITCH4AMBIRON TRUSTWAVE IPANGEL5APACHE HTTP SERVERConfiguring Apache HTTP Server with syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Configuring Apache HTTP Server with syslog-ng . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6APC UPS7APPLE MAC OS X8APPLICATION SECURITY DBPROTECT9ARBOR NETWORKS PEAKFLOW10ARPEGGIO SIFT-IT11ARRAY NETWORKS SSL VPN12ARUBA MOBILITY CONTROLLERS13BALABIT IT SECURITYConfiguring BalaBIt IT Security for Microsoft Windows Events . . . . . . . . . . . . . . . . .53Configuring BalaBit IT Security for Microsoft ISA or TMG Events . . . . . . . . . . . . . . .5714BARRACUDABarracuda Spam & Virus Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63Barracuda Web Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6715BIT9 PARITY16BLUECAT NETWORKS ADONIS17BLUE COAT SGCreating a custom event format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76Retrieving Blue Coat events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77Creating additional custom format key-value pairs. . . . . . . . . . . . . . . . . . . . . . . . . . .8318BRIDGEWATER19BROCADE FABRIC OS20CA TECHNOLOGIESCA ACF2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89CA SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103CA Top Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

21CHECK POINTCheck Point FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Check Point Provider-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13222CILASOFT QJRN/40023CISCOCisco ACE Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Cisco Aironet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Cisco ACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Cisco ASA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Cisco CallManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Cisco CatOS for Catalyst Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Cisco CSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Cisco FWSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Cisco IDS/IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Cisco IronPort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Cisco NAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Cisco Nexus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Cisco IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Cisco Pix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Cisco VPN 3000 Concentrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Cisco Wireless Services Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Cisco Wireless LAN Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Cisco Identity Services Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18024CITRIXCitrix NetScaler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Citrix Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18725CRYPTOCARD CRYPTO-SHIELD26CYBER-ARK VAULT27CYBERGUARD FIREWALL/VPN APPLIANCE28DAMBALLA FAILSAFE29DIGITAL CHINA NETWORKS (DCN)30ENTERASYSEnterasys Dragon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Enterasys HiGuard Wireless IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Enterasys HiPath Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209Enterasys Stackable and Standalone Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . .211Enterasys XSR Security Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212Enterasys Matrix Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213Enterasys NetSight Automatic Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . .214Enterasys Matrix K/N/S Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215Enterasys NAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216Enterasys 800-Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21731EXTREME NETWORKS EXTREMEWARE32F5 NETWORKSF5 Networks BIG-IP AFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221F5 Networks BIG-IP APM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226F5 Networks BIG-IP ASM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227F5 Networks BIG-IP LTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229F5 Networks FirePass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

33FAIR WARNING34FIDELIS XPS35FIREEYE36FORESCOUT COUNTERACT37FORTINET FORTIGATE38FOUNDRY FASTIRON39GENERIC FIREWALL40GENERIC AUTHORIZATION SERVER41GREAT BAY BEACON42HBGARY ACTIVE DEFENSE43HONEYCOMB LEXICON FILE INTEGRITY MONITOR (FIM)44HPHP ProCurve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265HP Tandem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266Hewlett Packard UNIX (HP-UX). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26745HUAWEIHuawei AR Series Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Huawei S Series Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27146IBMIBM AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276IBM AS/400 iSeries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287IBM CICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290IBM Lotus Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294IBM Proventia Management SiteProtector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297IBM ISS Proventia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301IBM RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301IBM DB2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

IBM WebSphere Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324IBM Informix Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329IBM IMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331IBM Guardium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338IBM Tivoli Access Manager for e-business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343IBM z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345IBM Tivoli Endpoint Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350IBM zSecure Alert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352IBM Security Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353IBM Security Network Protection (XGS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356IBM Security Network IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360IBM Security Access Manager for Enterprise Single Sign-On . . . . . . . . . . . . . . . . .36147ISC BIND48IMPERVA SECURESPHERE49INFOBLOX NIOS50IT-CUBE AGILESI51ITRON SMART METER52JUNIPER NETWORKSJuniper Networks AVT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383Juniper DX Application Acceleration Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385Juniper EX Series Ethernet Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385Juniper IDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387Juniper Networks Secure Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388Juniper Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391Juniper Networks Firewall and VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392Juniper Networks Network and Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . .392Juniper Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394Juniper Steel-Belted Radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397Juniper Networks vGW Virtual Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399Juniper Security Binary Log Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401Juniper Junos WebApp Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404

53KASPERSKY SECURITY CENTER54LIEBERMAN RANDOM PASSWORD MANAGER55LINUXLinux DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417Linux IPtables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Linux OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42156MCAFEEMcAfee Intrushield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429McAfee Application / Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437McAfee Web Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44057METAINFO METAIP58MICROSOFTMicrosoft Exchange Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447Microsoft IAS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454Microsoft DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454Microsoft IIS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455Microsoft ISA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461Microsoft SQL Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461Microsoft SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467Microsoft Windows Security Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472Microsoft Operations Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474Microsoft System Center Operations Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477Microsoft Endpoint Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48059MOTOROLA SYMBOL AP60NETAPP DATA ONTAP61NAME VALUE PAIRNVP Log Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49362NIKSUN63NOKIA FIREWALLIntegrating with a Nokia Firewall using syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497

Integrating with a Nokia Firewall using OPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . .50064NOMINUM VANTIO65NORTEL NETWORKSNortel Multiprotocol Router. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .505Nortel Application Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .508Nortel Contivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509Nortel Ethernet Routing Switch 2500/4500/5500 . . . . . . . . . . . . . . . . . . . . . . . . . . .509Nortel Ethernet Routing Switch 8300/8600 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .510Nortel Secure Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512Nortel Secure Network Access Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513Nortel Switched Firewall 5100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .514Nortel Switched Firewall 6000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516Nortel Threat Protection System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518Nortel VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51966NOVELL EDIRECTORY67OBSERVEIT68OPENBSD69OPEN LDAP70OPEN SOURCE SNORT71ORACLEOracle Audit Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .541Oracle DB Listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .544Oracle Audit Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .549Oracle OS Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .550Oracle BEA WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .552Oracle Acme Packet Session Border Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . .557

72OSSEC73PALO ALTO NETWORKS74PIREAN ACCESS: ONE75POSTFIX MAIL TRANSFER AGENT76PROFTPD77RADWARE DEFENSEPRO78RAZ-LEE ISECURITY79REDBACK ASE80RSA AUTHENTICATION MANAGERConfiguring syslog for RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587Configuring the log file protocol for RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58981SAMHAIN LABSConfiguring syslog to collect Samhain events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591Configuring JDBC to collect Samhain events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59282SENTRIGO HEDGEHOG83SECURE COMPUTING SIDEWINDER84SOLARWINDS ORION85SONICWALL86SOPHOSSophos Enterprise Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603Sophos PureMessage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610Sophos Astaro Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617Sophos Web Security Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618

87SOURCEFIRESourcefire Defense Center (DC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621Sourcefire Intrusion Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62788SPLUNKCollect Windows events forwarded from Splunk appliances . . . . . . . . . . . . . . . . . .62989SQUID WEB PROXY90STARENT NETWORKS91STONESOFT MANAGEMENT CENTER92SUN SOLARISSun Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .645Sun Solaris DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .646Sun Solaris Sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .648Sun Solaris Basic Security Mode (BSM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .649Sun ONE LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65493SYBASE ASE94SYMANTECSymantec Endpoint Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .661Symantec SGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662Symantec System Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662Symantec Data Loss Prevention (DLP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .666Symantec PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67095SYMARK96THREATGRID MALWARE THREAT INTELLIGENCE PLATFORM97TIPPING POINTTipping Point Intrusion Prevention System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .683Tipping Point X505/X506 Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68698TOP LAYER IPS99TREND MICROTrend Micro InterScan VirusWall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .689

Trend Micro Control Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690Trend Micro Office Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692Trend Micro Deep Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696100TRIPWIRE101TROPOS CONTROL102UNIVERSAL DSM103UNIVERSAL LEEFConfiguring a Universal LEEF log source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705Forwarding events to QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709Creating a Universal LEEF event map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709104VENUSTECH VENUSENSE105VERDASYS DIGITAL GUARDIAN106VERICEPT CONTENT 360 DSM107VMWAREVMware ESX and ESXi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723VMware vCenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728VMware vCloud Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729108WEBSENSE V-SERIESWebsense TRITON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733Websense V-Series Data Security Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735Websense V-Series Content Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737109ZSCALER NANOLOG STREAMING SERVICE110SUPPORTED DSMSANOTICES AND TRADEMARKSNotices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771INDEX

ABOUT THIS GUIDEThe DSM Configuration Guide for IBM Security QRadar provides you withinformation for configuring Device Support Modules (DSMs).DSMs allow QRadar to integrate events from security appliances, software, anddevices in your network that forward events to IBM Security QRadar or IBMSecurity QRadar Log Manager. All references to QRadar or IBM Security QRadaris intended to refer both the QRadar and QRadar Log Manager product. Forinformation on DSMs supported in IBM Security QRadar Network AnomalyDetection, see the IBM Security QRadar Network Anomaly Detection DSMConfiguration Guide.Intended audienceThis guide is intended for the system administrator responsible for setting up eventcollection for QRadar in your network.This guide assumes that you have administrative access and a knowledge of yourcorporate network and networking technologies.ConventionsThe following conventions are used throughout this guide: Indicates that the procedure contains a single instruction.Note: Indicates that the information provided is supplemental to the associatedfeature or instruction.CAUTION: Indicates that the information is critical. A caution alerts you to potentialloss of data or potential damage to an application, system, device, or network.WARNING: Indicates that the information is critical. A warning alerts you topotential dangers, threats, or potential personal injury. Read any and all warningscarefully before proceeding.IBM Security QRadar DSM Configuration Guide

14ABOUT THIS GUIDETechnicaldocumentationFor information on how to access more technical documentation, technical notes,and release notes, see the Accessing IBM Security QRadar DocumentationTechnical Note.(http://www.ibm.com/support/docview.wss?rs 0&uid swg21614644)Contactingcustomer supportFor information on contacting customer support, see the Support and DownloadTechnical Note.(http://www.ibm.com/support/docview.wss?rs 0&uid swg21612861)Statement of goodsecurity practicesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered,destroyed, misappropriated or misused or can result in damage to or misuse ofyour systems, including for use in attacks on others. No IT system or productshould be considered completely secure and no single product, service or securitymeasure can be completely effective in preventing improper use or access. IBMsystems, products and services are designed to be part of a comprehensivesecurity approach, which will necessarily involve additional operationalprocedures, and may require other systems, products or services to be mosteffective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS ORSERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISEIMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.IBM Security QRadar DSM Configuration Guide

1OVERVIEWThe DSM Configuration guide is intended to assist with device configurations forsystems, software, or appliances that provide events to QRadar.Device Support Modules (DSMs) parse event information for QRadar products tolog and correlate events received from external sources such as securityequipment (for example, firewalls), and network equipment (for example, switchesand routers).Events forwarded from your log sources are displayed in the Log Activity tab. Allevents are correlated and security and policy offenses are created based oncorrelation rules. These offenses are displayed on the Offenses tab. For moreinformation, see the IBM Security QRadar Users Guide.Note: Information found in this documentation about configuring Device SupportModules (DSMs) is based on the latest RPM files located on the IBM website athttp://www.ibm.com/support.To configure QRadar to receive events from devices, you must:1 Configure the device to send events to QRadar.2 Configure log sources for QRadar to receive events from specific devices. Formore information, see the IBM Security QRadar Log Sources User Guide.IBM Security QRadar DSM Configuration Guide

2INSTALLING DSMSYou can download and install weekly automatic software updates for DSMs,protocols, and scanner modules.After Device Support Modules (DSMs) are installed the QRadar Console providesany rpm file updates to managed hosts after the configuration changes aredeployed. If you are using high availability (HA), DSMs, protocols, and scannersare installed during replication between the primary and secondary host. Duringthis installation process, the secondary displays the status Upgrading. For moreinformation, see Managing High Availability in the IBM Security QRadar SIEMAdministration Guide.CAUTION: Uninstalling a Device Support Module (DSM) is not supported inQRadar. If you need technical assistance, contact Customer Support. For moreinformation, see Contacting customer support.SchedulingAutomatic UpdatesYou can schedule when automatic updates are downloaded and installed on yourQRadar Console.QRadar performs automatic updates on a recurring schedule according to thesettings on the Update Configuration page; however, if you want to schedule anupdate or a set of updates to run at a specific time, you can schedule an updateusing the Schedule the Updates window. Scheduling your own automatic updatesis useful when you want to schedule a large update to run during off-peak hours,thus reducing any performance impacts on your system.If no updates are displayed in the Updates window, either your system has notbeen in operation long enough to retrieve the weekly updates or no updates havebeen issued. If this occurs, you can manually check for new updatesProcedureStep 1 Click the Admin tab.Step 2 On the navigation menu, click System Configuration.Step 3 Click the Auto Update icon.Step 4 Optional. If you want to schedule specific updates, select the updates you want toschedule.IBM Security QRadar DSM Configuration Guide

18INSTALLING DSMSStep 5 From the Schedule list box, select the type of update you want to schedule.Options include: All Updates Selected Updates DSM, Scanner, Protocol Updates Minor UpdatesNote: Protocol updates installed automatically require you to restart Tomcat. Formore information on manually restarting Tomcat, see the IBM Security QRadar LogSources User Guide.Step 6 Using the calendar, select the start date and time of when you want to start yourscheduled updates.Step 7 Click OK.The selected updates are now scheduled.Viewing updatesYou can view or install any pending software updates for QRadar through theAdmin tab.ProcedureStep 1 Click the Admin tab.Step 2 On the navigation menu, click System Configuration.Step 3 Click the Auto Update icon.The Updates window is displayed. The window automatically displays the Checkfor Updates page, providing the following information:Table 2-1 Check for Updates Window ParametersParameterDescriptionUpdates wereinstalledSpecifies the date and time the last update was installed.Next Update installis scheduledSpecifies the date and time the next update is scheduled to beinstalled. If there is no date and time indicated, the update is notscheduled to run.NameSpecifies the name of the update.TypeSpecifies the type of update. Types include: DSM, Scanner, Protocol Updates Minor UpdatesIBM Security QRadar DSM Configuration Guide

Viewing updates19Table 2-1 Check for Updates Window Parameters (continued)ParameterDescriptionStatusSpecifies the status of the update. Status types include:Date to Install New - The update is not yet scheduled to be installed. Scheduled - The update is sche

6 APC UPS 7 APPLE MAC OS X 8 APPLICATION SECURITY DBPROTECT 9 ARBOR NETWORKS PEAKFLOW 10 ARPEGGIO SIFT-IT 11 AR