Enabling IBM QRadar and HP ArcSight syslog redirection - BlueCat Address Manager

Address Manager provides support for IBM^® QRadar^® and HP^® ArcSight^® SIEM integration through DNS/DHCP Server syslog to provide more analysis of DNS and DHCP data within an organization.

You can enable syslog redirection on DNS/DHCP Server to IBM QRadar and HP ArcSight servers from the Address Manager user interface.

To enable syslog redirection on DNS/DHCP Server to IBM QRadar and HP ArcSight:

From the configuration drop-down menu, select a configuration.
Select the Servers tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
Under Servers, click a server name. The Details tab for the server opens.
Click the server name menu and select Service Configuration. The Configure Remote Services page opens.
From the Service Type drop-down menu, select Syslog. Address Manager queries the server and returns the current values for the service settings.
Under SIEM Settings, set the following parameters:
- Enable QRadar Forwarding—select the check box and enter the IPv4 or IPv6 address of the QRadar server.
- Enable ArcSight Forwarding—select the check box and enter the IPv4 or IPv6 address of the ArcSight server.
Click Update.

Note: SIEM syslog messages

Logs being sent to the IBM QRadar and HP ArcSight servers contain the following:

DNS queries (querylogging)
DNS record changes
DDNS updates being forwarded as DNS_updates
DHCP logs—logging of the following DHCP packet types: Discover, Offer, Request, Acknowledgement, Negative Acknowledgement, Decline, Inform, and Release

For examples of syslog messages produced by DNS/DHCP Server, refer to the following:

IBM QRadar LEEF format—Knowledge Base article 7754 on BlueCat Customer Care.
HP ArcSight CEF format—Knowledge Base article 7753 on BlueCat Customer Care.

Enabling IBM QRadar and HP ArcSight syslog redirection - BlueCat Address Manager - 8.2.0

Address Manager Administration Guide