Enabling IBM QRadar and HP ArcSight syslog redirection - BlueCat Address Manager - 9.1.0

Address Manager Administration Guide

Locale
English (United States)
Product name
BlueCat Address Manager
Version
9.1.0

Address Manager provides support for IBM® QRadar® and HP® ArcSight® SIEM integration through DNS/DHCP Server syslog to provide more analysis of DNS and DHCP data within an organization.

You can enable syslog redirection on DNS/DHCP Server to IBM QRadar and HP ArcSight servers from the Address Manager user interface.

To enable syslog redirection on DNS/DHCP Server to IBM QRadar and HP ArcSight:

  1. From the configuration drop-down menu, select a configuration.
  2. Select the Servers tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
  3. Under Servers, click a server name. The Details tab for the server opens.
  4. Click the server name menu and select Service Configuration.
  5. From the Service Type drop-down menu, select Syslog. Address Manager queries the server and returns the current values for the service settings.
  6. Under SIEM Settings, set the following parameters:
    • Enable QRadar Forwarding—select the check box and enter the IPv4 or IPv6 address of the QRadar server.
    • Enable ArcSight Forwarding—select the check box and enter the IPv4 or IPv6 address of the ArcSight server.
  7. Click Update.
Note: SIEM syslog messages
Logs being sent to the IBM QRadar and HP ArcSight servers contain the following:
  • DNS queries (querylogging)
  • DNS record changes
  • DDNS updates being forwarded as DNS_updates
  • DHCP logs—logging of the following DHCP packet types: Discover, Offer, Request, Acknowledgement, Negative Acknowledgement, Decline, Inform, and Release
For examples of syslog messages produced by DNS/DHCP Server, refer to the following:
  • IBM QRadar LEEF format—Knowledge Base article 7754 on BlueCat Customer Care.
  • HP ArcSight CEF format—Knowledge Base article 7753 on BlueCat Customer Care.