Enabling IBM QRadar and HP ArcSight syslog redirection - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Product name
BlueCat Integrity

BAM provides support for IBM® QRadar® and HP® ArcSight® SIEM integration through BDDS syslog to provide more analysis of DNS and DHCP data within an organization.

You can enable syslog redirection on BDDS to IBM QRadar and HP ArcSight servers from the BAM user interface.

Note: IBM QRadar and HP ArcSight syslog redirection uses UDP port 514. You cannot configure BDDS to redirect syslog to a remote syslog server and an IBM QRadar / HP ArcSight server at the same server IP address and port.

To enable syslog redirection on BDDS to IBM QRadar and HP ArcSight:

  1. From the configuration drop-down menu, select a configuration.
  2. Select the Servers tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
  3. Under Servers, click a server name. The Details tab for the server opens.
  4. Click the server name menu and select Service Configuration.
  5. From the Service Type drop-down menu, select Syslog. BAM queries the server and returns the current values for the service settings.
  6. Under SIEM Settings, set the following parameters:
    • Enable QRadar Forwarding—select the check box and enter the IPv4 or IPv6 address of the QRadar server.
    • Enable ArcSight Forwarding—select the check box and enter the IPv4 or IPv6 address of the ArcSight server.
  7. Click Update.
Note: SIEM syslog messages
Logs being sent to the IBM QRadar and HP ArcSight servers contain the following:
  • DNS queries (querylogging)
  • DNS record changes
  • DDNS updates being forwarded as DNS_updates
  • DHCP logs—logging of the following DHCP packet types: Discover, Offer, Request, Acknowledgement, Negative Acknowledgement, Decline, Inform, and Release
For examples of syslog messages produced by DNS/DHCP Server, refer to the following:
  • IBM QRadar LEEF format—Knowledge Base article 7754 on BlueCat Customer Care.
  • HP ArcSight CEF format—Knowledge Base article 7753 on BlueCat Customer Care.