Address Manager provides support for IBM® QRadar® and HP® ArcSight® SIEM integration through DNS/DHCP Server syslog to provide more analysis of DNS and DHCP data within an organization.
You can enable syslog redirection on DNS/DHCP Server to IBM QRadar and HP ArcSight servers from the Address Manager user interface.
To enable syslog redirection on DNS/DHCP Server to IBM QRadar and HP ArcSight:
- From the configuration drop-down menu, select a configuration.
- Select the Servers tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
- Under Servers, click a server name. The Details tab for the server opens.
- Click the server name menu and select Service Configuration. The Configure Remote Services page opens.
- From the Service Type drop-down menu, select Syslog. Address Manager queries the server and returns the current values for the service settings.
Under SIEM Settings, set the following parameters:
- Enable QRadar Forwarding—select the check box and enter the IPv4 or IPv6 address of the QRadar server.
- Enable ArcSight Forwarding—select the check box and enter the IPv4 or IPv6 address of the ArcSight server.
- Click Update.
- DNS queries (querylogging)
- DNS record changes
- DDNS updates being forwarded as DNS_updates
- DHCP logs—logging of the following DHCP packet types: Discover, Offer, Request, Acknowledgement, Negative Acknowledgement, Decline, Inform, and Release