BAM provides support for IBM® QRadar® and HP® ArcSight® SIEM integration through BDDS syslog to provide more analysis of DNS and DHCP data within an organization.
You can enable syslog redirection on BDDS to IBM QRadar and HP ArcSight servers from the BAM user interface.
To enable syslog redirection on BDDS to IBM QRadar and HP ArcSight:
- From the configuration drop-down menu, select a configuration.
- Select the Servers tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
- Under Servers, click a server name. The Details tab for the server opens.
- Click the server name menu and select Service Configuration.
- From the Service Type drop-down menu, select Syslog. BAM queries the server and returns the current values for the service settings.
Under SIEM Settings, set the following parameters:
- Enable QRadar Forwarding—select the check box and enter the IPv4 or IPv6 address of the QRadar server.
- Enable ArcSight Forwarding—select the check box and enter the IPv4 or IPv6 address of the ArcSight server.
- Click Update.
Note: SIEM syslog messages
Logs being sent to the IBM QRadar and HP ArcSight servers contain the following:
- DNS queries (querylogging)
- DNS record changes
- DDNS updates being forwarded as DNS_updates
- DHCP logs—logging of the following DHCP packet types: Discover, Offer, Request, Acknowledgement, Negative Acknowledgement, Decline, Inform, and Release