Configuring LEEF log forwarding (syslog)

Use the LEEF Log Forwarding (syslog) page for the Network IPS appliance to send event data to a security incident event manager (SIEM) by using the log event extended format (LEEF).

About this task

When this feature is enabled, the appliance converts security alert (including IPS and SNORT), health alert, and system alert events into LEEF for transmission to a SIEM. You can retrieve the LEEF log file from the Network IPS Local Management Interface at Review Analysis and Diagnostics > Downloads > Logs and Packet Captures. The log file is also at /var/iss/leef.log.
Note: IPS events include events from the security events, connection events, user-defined events, and OpenSignatures policies.

This feature was tested with the QRadar® SIEM developed by Q1 Labs®. You must update the QRadar SIEM to the newest version for some integration features to work. For more information, go to http://q1labs.com. Q1 Labs customers can go to http://partners.q1labs.com and sign in to DocCentral to view the documentation.

Navigating in the Network IPS Local Management Interface: Manage System Settings > Appliance > LEEF Log Forwarding (syslog)

Navigating in the SiteProtector™ system: select the LEEF Log Forwarding (syslog) policy

Procedure

  1. In the Local Log area, complete the following tasks:
    1. Click the Enable Local Log check box.
    2. Set the maximum file size for the LEEF log file in the Maximum File Size field.
  2. In the Remote Syslog Servers area, complete the following tasks for the SIEM:
    1. To configure the appliance to send the LEEF log to the SIEM, click the Enable check box.
    2. In the Syslog Server IP/Host field, type the IPv4 address, IPv6 address, or FQDN for the SIEM.
    3. Specify the Protocol and the Port for the SIEM.

      Note: The Network IPS GX appliance sends the LEEF log to multiple LEEF log servers in the order that the servers are configured. If you specify a server that is unavailable, the appliance tries to contact the invalid server until that server becomes available. This misconfiguration can prevent a valid server that is configured next in the list from receiving the LEEF log.

    4. Enable the types of events that the appliance sends to the SIEM. Options include Security Event, System Event, and Health Event.