Configuring a LEEF system log

To help integrate different components on your network, the appliance can send event information to a security incident event manager (SIEM) by using the log event extended format (LEEF).

About this task

When this feature is enabled, the appliance converts IPS, SNORT, health alert, and system alert events into LEEF for transmission to a SIEM. You can retrieve the log file from IPS Local Management Interface at Review Analysis and Diagnostics > Downloads > Logs and Packet Captures.
Note: IPS events include events from the security events, connection events, user defined events, and OpenSignatures policies.

This feature was tested with the QRadar SIEM developed by Q1 Labs. Update the QRadar SIEM to the newest version or some integration features do not work. For more information go to http://q1labs.com. Customers of Q1 Labs can go to http://partners.q1labs.com and sign in to DocCentral to view the documentation.

Procedure
  1. Enable the LEEF system log feature.
    1. In IPS Local Management Interface, go to Secure Protection Settings > Advanced IPS > Tuning Parameters. In SiteProtector™ Management, select the Tuning Parameters policy.
    2. Add the tuning parameter crm.leef.enabled and set it to True.
  2. Optional: Set the size of the LEEF system log file.
    1. In IPS Local Management Interface, go to Secure Protection Settings > Advanced IPS > Tuning Parameters. In SiteProtector Management, select the Tuning Parameters policy.
    2. Add the tuning parameter crm.leef.logsize and set it to a number between 1-100 MB. The default is 10 MB.
  3. Use the Secure Shell (SSH) protocol to communicate with the SIEM. Configure the SIEM to use the secure copy (SCP) command to get the LEEF system log from the appliance. The log file is located at /var/iss/leef.log. The QRadar SIEM gets the LEEF system log every 15 minutes.