0% found this document useful (0 votes)

601 views237 pages

Ibm Security Qradar Log Manager Administration Guide

Uploaded by

mohamed saad

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

601 views237 pages

Ibm Security Qradar Log Manager Administration Guide

Uploaded by

mohamed saad

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 237

IBM Security QRadar Log Manager Administration Guide

Version 7.2.1

Administration Guide

򔻐򗗠򙳰
Note
Before using this information and the product that it supports, read the information in “Notices” on page 225.

© Copyright IBM Corporation 2007, 2013.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Chapter 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Supported web browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Admin tab overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Deploying changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Updating user details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Monitoring systems with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Managing aggregated data views . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 2. User management . . . . . . . . . . . . . . . . . . . . . . . . . . 5

User management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Role management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Creating a user role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Editing a user role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Deleting a user role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Managing security profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Permission precedences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Creating a security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Editing a security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Duplicating a security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Deleting a security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
User account management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Creating a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Editing a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Deleting a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Authentication management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Authentication overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configuring system authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configuring RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuring TACACS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuring Active Directory authentication . . . . . . . . . . . . . . . . . . . . . . . 15
Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configuring Your SSL or TLS certificate . . . . . . . . . . . . . . . . . . . . . . . . . 17
User role parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Security profile parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
User Management window parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 21
User management window toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
User Details window parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 3. Managing the system and licenses . . . . . . . . . . . . . . . . . . . 23

System and License Management window overview. . . . . . . . . . . . . . . . . . . . . . 23
License management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Uploading a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Allocating a license to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Reverting an allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Viewing license details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Exporting a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
System management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Viewing system details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Allocating a system to a license. . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Restarting a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Shutting down a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Exporting system details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

© Copyright IBM Corp. 2007, 2013 iii

Access setting management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Configuring firewall access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Updating your host setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Configuring interface roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Time server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Configuring your time server using RDATE . . . . . . . . . . . . . . . . . . . . . . . 38
Manually configuring time settings for your system . . . . . . . . . . . . . . . . . . . . . 39

Chapter 4. User information source configuration . . . . . . . . . . . . . . . . . 41

User information source overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
User information sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Reference data collections for user information . . . . . . . . . . . . . . . . . . . . . . 42
Integration workflow example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
User information source configuration and management task overview . . . . . . . . . . . . . . 43
Configuring the Tivoli Directory Integrator server . . . . . . . . . . . . . . . . . . . . . . 44
Creating and managing user information source . . . . . . . . . . . . . . . . . . . . . . . 46
Creating a user information source . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Retrieving user information sources . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Editing a user information source . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Deleting a user information source . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Collecting user information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 5. Set up QRadar Log Manager . . . . . . . . . . . . . . . . . . . . . 51

Network hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Acceptable CIDR values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Defining your network hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Automatic updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Viewing pending updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Configuring automatic update settings . . . . . . . . . . . . . . . . . . . . . . . . . 56
Scheduling an update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Clearing scheduled updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Checking for new updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Manually installing automatic updates . . . . . . . . . . . . . . . . . . . . . . . . . 59
Viewing your update history . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Restoring hidden updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Viewing the autoupdate log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Set up a QRadar update server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Configuring your update server . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Configuring your QRadarConsole as the Update Server . . . . . . . . . . . . . . . . . . . 61
Adding new updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configuring system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configuring your IF-MAP server certificates . . . . . . . . . . . . . . . . . . . . . . . . 70
Configuring IF-MAP Server Certificate for Basic Authentication . . . . . . . . . . . . . . . . . 70
Configuring IF-MAP Server Certificate for Mutual Authentication . . . . . . . . . . . . . . . . 70
Data retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Configuring retention buckets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Managing retention bucket sequence . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Configuring system notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Configuring the Console settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Index management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Enabling indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Chapter 6. Reference sets management . . . . . . . . . . . . . . . . . . . . . 81

Adding a reference set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Deleting reference sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Viewing the contents of a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Adding an element to a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Deleting elements from a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Importing elements into a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . 84

iv QRadar Log Manager Administration Guide

Exporting elements from a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Chapter 7. Reference data collections . . . . . . . . . . . . . . . . . . . . . . 85

CSV file requirements for reference data collections . . . . . . . . . . . . . . . . . . . . . . 85
Creating a reference data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
ReferenceDataUtil.sh command reference . . . . . . . . . . . . . . . . . . . . . . . . . 86
create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
purge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
listall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Chapter 8. Manage backup and recovery . . . . . . . . . . . . . . . . . . . . . 91

Viewing backup archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Importing a backup archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Deleting a backup archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Backup archive creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Scheduling nightly backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Creating an on-demand configuration backup archive . . . . . . . . . . . . . . . . . . . . 95
Backup archive restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Restoring a backup archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Restoring a backup archive created on a different QRadar system . . . . . . . . . . . . . . . . 97
Restoring data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Verifying restored data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Chapter 9. Deployment editor . . . . . . . . . . . . . . . . . . . . . . . . . 103

Deployment editor requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Deployment editor views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Configuring deployment editor preferences . . . . . . . . . . . . . . . . . . . . . . . 104
Building your deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Event view management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
QRadar components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Adding components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Connecting components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Forwarding normalized events . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Renaming components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
System view management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Overview of the System View page . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Software compatibility requirements for Console and non-Console hosts. . . . . . . . . . . . . . 110
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Adding a managed host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Editing a managed host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Removing a managed host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Configuring a managed host . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Assigning a component to a host . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Configuring Host Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Configuring an accumulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
NAT management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Adding a NAT-enabled network to QRadar . . . . . . . . . . . . . . . . . . . . . . . 116
Editing a NAT-enabled network . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Deleting a NAT-enabled network from QRadar . . . . . . . . . . . . . . . . . . . . . . 117
Changing the NAT status for a managed host . . . . . . . . . . . . . . . . . . . . . . 117
Component configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Configuring an Event Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Configuring an Event Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Configuring the Magistrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Contents v
Configuring an off-site source . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Configuring an off-site target . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Chapter 10. Data forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Adding forwarding destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Viewing and managing forwarding destinations . . . . . . . . . . . . . . . . . . . . . . . 124
Configuring routing rules for bulk forwarding . . . . . . . . . . . . . . . . . . . . . . . 125
Viewing and managing routing rules . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Configuring selective forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Chapter 11. Event store and forward . . . . . . . . . . . . . . . . . . . . . . 129

Viewing the Store and Forward schedule list . . . . . . . . . . . . . . . . . . . . . . . . 129
Creating a new Store and Forward schedule . . . . . . . . . . . . . . . . . . . . . . . . 132
Editing a Store and Forward schedule . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Deleting a Store and Forward schedule . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Chapter 12. Data obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . 135

Data obfuscation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Generating a private/public key pair . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Configuring data obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Decrypting obfuscated data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Chapter 13. Audit logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Viewing the audit log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Logged actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Chapter 14. Event categories. . . . . . . . . . . . . . . . . . . . . . . . . . 149

High-level event categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Recon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Suspicious Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Unknown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
CRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Potential Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
User Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
SIM Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Asset Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Chapter 15. Ports used by QRadar . . . . . . . . . . . . . . . . . . . . . . . 205

Searching for ports in use by QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Viewing IMQ port associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

vi QRadar Log Manager Administration Guide

H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
I. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Privacy policy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Contents vii
viii QRadar Log Manager Administration Guide
About this guide
This guide provides information on managing IBM® Security QRadar® Log
Manager including the Dashboard, Log Activity, and Reports tabs.

Intended audience

This guide is intended for all IBM Security QRadar Log Manager users responsible
for investigating and managing network security. This guide assumes that you
have IBM Security QRadar Log Manager access and a knowledge of your
corporate network and networking technologies.

Technical documentation

For information about how to access more technical documentation, technical

notes, and release notes, see Accessing IBM Security Documentation Technical Note
(http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861).

Contacting customer support

For information about contacting customer support, see the Support and
Download Technical Note (http://www.ibm.com/support/docview.wss?rs=0
&uid=swg21612861).

Statement of good security practices

IT system security involves protecting systems and information through

prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems,
including for use in attacks on others. No IT system or product should be
considered completely secure and no single product, service or security measure
can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a comprehensive security
approach, which will necessarily involve additional operational procedures, and
may require other systems, products or services to be most effective. IBM DOES
NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE
IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

© Copyright IBM Corp. 2007, 2013 ix

x QRadar Log Manager Administration Guide
Chapter 1. Overview
General information on how to access and use the IBM Security QRadar user
interface and the Admin tab

This overview includes general information on how to access and use the user
interface and the Admin tab.

Supported web browsers

You access the IBM Security QRadar console from a standard web browser.

When you access the system, a prompt is displayed asking for a user name and a
password. The user name and password must be configured in advance by the
administrator.
Table 1. Supported web browsers
Web browser Supported version
Mozilla Firefox v 10.0 ESR
v 17.0 ESR

Mozilla Firefox has a short release cycle. We

cannot commit to testing on the latest
versions of the Mozilla Firefox browser.
However, we are fully committed to
investigating any issues that are reported.
Microsoft Internet Explorer, with v 8.0
Compatibility View Enabled
v 9.0
Google Chrome v Latest version

We are fully committed to investigating any

issues that are reported.

Admin tab overview

The Admin tab provides several tab and menu options that allow you to configure
QRadar.

You must have administrative privileges to access administrative functions. To

access administrative functions, click the Admin tab on the user interface.

The Admin tab provides access to the following functions:

v Manage users. See Chapter 2, “User management,” on page 5.
v Manage your network settings. See Chapter 3, “Managing the system and
licenses,” on page 23.
v Manage high availability. See the IBM Security QRadar High Availability Guide.
v Manage QRadar QFlow Collector settings. See Chapter 5, “Set up QRadar Log
Manager,” on page 51.
v Manage references sets. See Chapter 6, “Reference sets management,” on page
81.
© Copyright IBM Corp. 2007, 2013 1
v Backup and recover your data. See Chapter 8, “Manage backup and recovery,”
on page 91.
v Manage your deployment views. See Chapter 9, “Deployment editor,” on page
103.
v Configure data forwarding. See Chapter 10, “Data forwarding,” on page 123.
v Configure plug-ins. For more information, see the associated documentation.
v Manage log sources. For more information, see the IBM Security QRadar Log
Sources Users Guide.

The Admin tab also includes the following menu options:

Table 2. Admin tab menu options
Menu option Description
Deployment Editor Opens the Deployment Editor window. For
more information, see Chapter 9,
“Deployment editor,” on page 103.
Deploy Changes Deploys any configuration changes from the
current session to your deployment. For
more information, see “Deploying changes.”
Advanced The Advanced menu provides the following
options:

Deploy Full Configuration - Deploys all

configuration changes. For more
information, see “Deploying changes.”

Deploying changes
You can update your configuration settings from the Admin tab. Your changes are
saved to a staging area where they are stored until you manually deploy the
changes.

About this task

Each time that you access the Admin tab and each time you close a window on
the Admin tab, a banner at the top of the Admin tab displays the following
message: Checking for undeployed changes.If undeployed changes are found, the
banner updates to provide information about the undeployed changes.

If the list of undeployed changes is lengthy, a scroll bar is provided. Scroll through
the list.

The banner message also suggests which type of deployment change to make.
Choose one of the two options:
v Deploy Changes - Click the Deploy Changes icon on the Admin tab toolbar to
deploy any configuration changes from the current session to your deployment.
v Deploy Full Configuration - Select Advanced > Deploy Full Configuration
from the Admin tab menu to deploy all configuration settings to your
deployment. All deployed changes are then applied throughout your
deployment.

2 QRadar Log Manager Administration Guide

Important: When you click Deploy Full Configuration, QRadar Log Manager
restarts all services, which result in a gap in data collection until deployment
completes.

After you deploy your changes, the banner clears the list of undeployed changes
and checks the staging area again for any new un`deployed changes. If none are
present, the following message is displayed: There are no changes to deploy.

Procedure
1. Click View Details
2. Choose one of the following options:
a. To expand a group to display all items, click the plus sign (+) beside the
text. When done, you can click the minus sign (-).
b. To expand all groups, click Expand All. When done, you can click Collapse
All.
c. Click Hide Details to hide the details from view again.
3. Perform the suggested task:
a. From the Admin tab menu, click Deploy Changes.
b. From the Admin tab menu, click Advanced > Deploy Full Configuration.

Updating user details

You can access your administrative user details through the main user interface.

Procedure
1. Click Preferences
2. Optional. Update the configurable user details:

Option Description
Parameter Description
Email Type a new email address
Password Type a new password
Password (Confirm) Type the new password again
Enable Popup Notifications Popup system notifications are displayed at
the lower right corner of the user interface.
To disable popup notifications, clear this
check box.

For more information about popup

notifications, see the Users Guide for your
product.

3. Click Save.

Monitoring systems with SNMP

This topic provides information about the monitoring of appliances through SNMP
polling.

QRadar Log Manager uses the Net-SNMP agent, which supports various system
resource monitoring MIBs. They can be polled by Network Management solutions

Chapter 1. Overview 3
for the monitoring and alerting of system resources. For more information about
Net-SNMP, see Net-SNMP documentation.

Managing aggregated data views

A large volume of data aggregation can decrease system performance. To improve
system performance, you can disable, enable, or delete aggregated data views.
Time series charts, and report charts use aggregated data views.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the Aggregated Data Management icon.
4. To filter the list of aggregated data views, choose an option from one the
following options:
v Select an option from one of the following lists: View, Database, Show, or
Display.
v Type an aggregated data ID, report name, chart name, or saved search name
in the search field.
5. To manage an aggregated data view, select the view, and then the appropriate
action from the toolbar:
v If you select Disable View or Delete View, a window displays content
dependencies for the aggregated data view. After you disable or delete the
aggregated data view, the dependent components no longer use aggregated
data.
v If you enable a disabled aggregated data view, the aggregated data from the
deleted view is restored.

4 QRadar Log Manager Administration Guide

Chapter 2. User management
Provides information and procedures for configuring and managing user accounts.

When you initially configure QRadar Log Manager, you must create user accounts
for all users that require access to QRadar Log Manager. After initial configuration,
you can edit user accounts to ensure that user information is current. You can also
add and delete user accounts as required.

User management overview

A user account defines the user name, default password, and email address for a
user.

Assign the following items for each new user account you create:
v User role - Determines the privileges that the user is granted to access functions
and information in QRadar SIEM. QRadar SIEM includes two default user roles:
Admin and All. Before you add user accounts, you must create more user roles
to meet the specific permissions requirement of your users.
v User role - Determines the privileges that the user is granted to access functions
and information in QRadar Log Manager. QRadar Log Manager includes two
default user roles: Admin and All. Before you add user accounts, you must
create more user roles to meet the specific permissions requirement of your
users.
v User role - Determines the privileges that the user is granted to access functions
and information in QRadar Network Anomaly Detection. QRadar Network
Anomaly Detection includes two default user roles: Admin and All. Before you
add user accounts, you must create more user roles to meet the specific
permissions requirement of your users.
v Security profile - Determines the networks and log sources the user is granted
access to. QRadar SIEM includes one default security profile for administrative
users. The Admin security profile includes access to all networks and log
sources. Before you add user accounts, you must create more security profiles to
meet the specific access requirements of your users.
v Security profile - Determines the networks and log sources the user is granted
access to. QRadar Log Manager includes one default security profile for
administrative users. The Admin security profile includes access to all networks
and log sources. Before you add user accounts, you must create more security
profiles to meet the specific access requirements of your users.
v Security profile - Determines the networks and log sources the user is granted
access to. QRadar Network Anomaly Detection includes one default security
profile for administrative users. The Admin security profile includes access to all
networks and log sources. Before you add user accounts, you must create more
security profiles to meet the specific access requirements of your users.

Role management
Using the User Roles window, you can create and manage user roles.

Using the User Roles window, you can create and manage user roles.

© Copyright IBM Corp. 2007, 2013 5

Creating a user role
Use this task to create the user roles that are required for your deployment.

About this task

By default, your system provides a default administrative user role, which

provides access to all areas of QRadar Log Manager. Users who are assigned an
administrative user role cannot edit their own account. This restriction applies to
the default Admin user role. Another administrative user must make any account
changes.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration > User Management.
3. Click the User Roles icon.
4. On the toolbar, click New.
5. Configure the following parameters:
a. In the User Role Name field, type a unique name for this user role.
b. Select the permissions that you want to assign to this user role. See “User
role parameters” on page 17.
6. Click Save.
7. Close the User Role Management window.
8. On the Admin tab menu, click Deploy Changes.

Editing a user role

You can edit an existing role to change the permissions that are assigned to the
role.

About this task

To quickly locate the user role you want to edit on the User Role Management
window, you can type a role name in the Type to filter text box. This box is
located above the left pane.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration > User Management.
3. Click the User Roles icon.
4. In the left pane of the User Role Management window, select the user role that
you want to edit.
5. On the right pane, update the permissions, as necessary. See “User role
parameters” on page 17.
6. Click Save.
7. Close the User Role Management window.
8. On the Admin tab menu, click Deploy Changes.

Deleting a user role

If a user role is no longer required, you can delete the user role.

6 QRadar Log Manager Administration Guide

About this task

If user accounts are assigned to the user role you want to delete, you must
reassign the user accounts to another user role. The system automatically detects
this condition and prompts you to update the user accounts.

You can quickly locate the user role that you want to delete on the User Role
Management window. Type a role name in the Type to filter text box, which is
located above the left pane.

Procedure
1. Click the Admin tab.
2. On theNavigation menu, click System Configuration > User Management.
3. Click theUser Roles icon.
4. In the left pane of the User Role Management window, select the role that you
want to delete.
5. On the toolbar, click Delete.
6. Click OK.
v If user accounts are assigned to this user role, the Users are Assigned to this
User Role window opens. Go to Step 7.
v If no user accounts are assigned to this role, the user role is successfully
deleted. Go to Step 8.
7. Reassign the listed user accounts to another user role:
a. From the User Role to assign list box, select a user role.
b. Click Confirm.
8. Close the User Role Management window.
9. On the Admin tab menu, click Deploy Changes.

Managing security profiles

Security profiles define which networks and log sources a user can access and the
permission precedence.

Using theSecurity Profile Management window, you can view, create, update, and
delete security profiles.

Permission precedences
This topic defines each of the permission precedence options.

Permission precedence determines which Security Profile components to consider

when the system displays events in the Log Activity tab.

Make sure that you understand the following restrictions:

v No Restrictions - This option does not place restrictions on which events are
displayed in the Log Activity tab.
v Network Only - This option restricts the user to view only events and flows that
are associated with the networks specified in this security profile.
v Log Sources Only - This option restricts the user to view only events that are
associated with the log sources specified in this security profile.

Chapter 2. User management 7

v Networks AND Log Sources - This option allows the user to view only events
that are associated with the log sources and networks that are specified in this
security profile.

For example, if an event is associated with a log source the security profile allows
access to, but the destination network is restricted, the event is not displayed in the
Log Activity tab. The event must match both requirements.
v Networks OR Log Sources - This option allows the user to view only events
that are associated with the log sources or networks that are specified in this
security profile.

For example, if an event is associated with a log source the security profile allows
access to, but the destination network is restricted, the event is displayed in the
Log Activity tab. The event must match one requirement.

Creating a security profile

To add user accounts, you must first create security profiles to meet the specific
access requirements of your users.

About this task

QRadar Log Manager includes one default security profile for administrative users.
The Admin security profile includes access to all networks and log sources.

To select multiple items on the Security Profile Management window, hold the
Control key while you select each network or network group that you want to
add.

If after you add log sources or networks, you want to remove one or more before
you save the configuration, you can select the item and click the Remove (<) icon.
To remove all items, click Remove All.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration > User Management.
3. Click the Security Profiles icon.
4. On the Security Profile Management window toolbar, click New.
5. Configure the following parameters:
a. In the Security Profile Name field, type a unique name for the security
profile. The security profile name must meet the following requirements:
minimum of 3 characters and maximum of 30 characters.
b. OptionalType a description of the security profile. The maximum number
of characters is 255.
6. Click the Permission Precedence tab.
7. In the Permission Precedence Setting pane, select a permission precedence
option. See “Permission precedences” on page 7.
8. Configure the networks that you want to assign to the security profile:
a. Click the Networks tab.
b. From the navigation tree in the left pane of the Networks tab, select the
network that you want this security profile to have access to.
c. Click the Add (>) icon to add the network to the Assigned Networks pane.
d. Repeat for each network you want to add.

8 QRadar Log Manager Administration Guide

9. Configure the log sources that you want to assign to the security profile:
a. Click the Log Sources tab.
b. From the navigation tree in the left pane, select the log source group or log
source you want this security profile to have access to.
c. Click the Add (>) icon to add the log source to the Assigned Log Sources
pane.
d. Repeat for each log source you want to add.
10. Click Save.
11. Close the Security Profile Management window.
12. On the Admin tab menu, click Deploy Changes.

Editing a security profile

You can edit an existing security profile to update which networks and log sources
a user can access and the permission precedence.

About this task

To quickly locate the security profile you want to edit on the Security Profile
Management window, type the security profile name in the Type to filter text box.
It is located above the left pane.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration > User Management.
3. Click the Security Profiles icon.
4. In the left pane, select the security profile you want to edit.
5. On the toolbar, click Edit .
6. Update the parameters as required.
7. Click Save .
8. If the Security Profile Has Time Series Data window opens, select one of the
following options:

Option Description
Keep Old Data and Save Select this option to keep previously
accumulated time series data. If you choose
this option, issues might occur when users
associated with this security profile views
time series charts.
Hide Old Data and Save Select this option to hide the time-series
data. If you choose this option, time series
data accumulation restarts after you deploy
your configuration changes.

9. Close the Security Profile Management window.

10. On the Admin tab menu, click Deploy Changes.

Duplicating a security profile

If you want to create a new security profile that closely matches an existing
security profile, you can duplicate the existing security profile and then modify the
parameters.

Chapter 2. User management 9

About this task

To quickly locate the security profile you want to duplicate on the Security Profile
Management window, you can type the security profile name in the Type to filter
text box, which is located above the left pane.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration User Management.
3. Click the Security Profiles icon.
4. In the left pane, select the security profile you want to duplicate.
5. On the toolbar, click Duplicate .
6. In the Confirmation window, type a unique name for the duplicated security
profile.
7. Click OK .
8. Update the parameters as required.
9. Close the Security Profile Management window.
10. On the Admin tab menu, click Deploy Changes.

Deleting a security profile

If a security profile is no longer required, you can delete the security profile.

About this task

If user accounts are assigned to the security profiles you want to delete, you must
reassign the user accounts to another security profile. QRadar Log Manager
automatically detects this condition and prompts you to update the user accounts.

To quickly locate the security profile you want to delete on the Security Profile
Management window, you can type the security profile name in the Type to filter
text box. It is located above the left pane.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration > User Management.
3. Click the Security Profiles icon.
4. In the left pane, select the security profile that you want to delete.
5. On the toolbar, click Delete.
6. Click OK.
v If user accounts are assigned to this security profile, the Users are Assigned
to this Security Profile window opens. Go to “Deleting a user role” on page
6.
v If no user accounts are assigned to this security profile, the security profile is
successfully deleted. Go to “Deleting a user role” on page 6.
7. Reassign the listed user accounts to another security profile:
a. From the User Security Profile to assign list box, select a security profile.
b. Click Confirm.
8. Close the Security Profile Managementwindow.
9. On the Admin tab menu, click Deploy Changes.

10 QRadar Log Manager Administration Guide

User account management
This topic provides information about managing user accounts.

When you initially configure your system, you must create user accounts for each
of your users. After initial configuration, you might be required to create more user
accounts and manage existing user accounts.

Creating a user account

You can create new user accounts.

Before you begin

Before you can create a user account, you must ensure that the required user role
and security profile are created.

About this task

When you create a new user account, you must assign access credentials, a user
role, and a security profile to the user. User Roles define what actions the user has
permission to perform. Security Profiles define what data the user has permission
to access.

You can create multiple user accounts that include administrative privileges;
however, any Administrator Manager user accounts can create other administrative
user accounts.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration > User Management.
3. Click the Users icon.
4. On the User Management toolbar, click New.
5. Enter values for the following parameters:
a. In the Username field, type a unique user name for the new user. The user
name must contain a maximum 30 characters.
b. In the Password field, type a password for the user to gain access.
The password must meet the following criteria:
v Minimum of 5 characters
v Maximum of 255 characters
6. Click Save.
7. Close the User Details window.
8. Close the User Management window.
9. On the Admin tab menu, click Deploy Changes.

Editing a user account

About this task

You can quickly locate the user account that you want to edit on the User
Management window. Type the user name in theSearch User text box, which is on
the toolbar.

Chapter 2. User management 11

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration > User Management.
3. Click the Users icon.
4. On the User Management window, select the user account that you want to
edit.
5. On the toolbar, click Edit.
6. Update parameters, as necessary. See “User Management window parameters”
on page 21
7. Click Save.
8. Close the User Details window.
9. Close the User Management window.
10. On the Admin tab menu, click Deploy Changes.

Deleting a user account

If a user account is no longer required, you can delete the user account.

About this task

After you delete a user, the user no longer has access to the user interface. If the
user attempts to log in, a message is displayed to inform the user that the user
name and password is no longer valid. Items that a deleted user created, such as
saved searches and reports remain associated with the deleted user.

To quickly locate the user account you want to delete on the User Management
window, you can type the user name in the Search User text box on the toolbar.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration > User Management.
3. Click the Users icon.
4. Select the user that you want to delete.
5. On the toolbar, click Delete.
6. Click OK.
7. Close the User Management window.

Authentication management
This topic provides information and instructions for how to configure
authentication.

QRadar Log Manager supports various authentication types. You can configure
authentication to validate users and passwords.

Authentication overview
When authentication is configured and a user enters an invalid user name and
password combination, a message is displayed to indicate that the login was
invalid.

If the user attempts to access the system multiple times with invalid information,
the user must wait the configured amount of time before another attempt to access

12 QRadar Log Manager Administration Guide

the system again. You can configure Console settings to determine the maximum
number of failed logins, and other related settings. For more information about
configuring Console settings for authentication, see Chapter 5, “Set up QRadar Log
Manager,” on page 51 “Configuring the Console settings” on page 75.

An administrative user can access QRadar Log Manager through a vendor

authentication module or by using the local Admin password. The Admin
password functions if you set up and activated a vendor authentication module.
However, you cannot change the Admin password while the authentication
module is active. To change the Admin password, you must temporarily disable
the vendor authentication module, reset the password, and then reconfigure the
vendor authentication module.

QRadar Log Manager supports the following user authentication types:

v System authentication - Users are authenticated locally. This is the default
authentication type.
v RADIUS authentication - Users are authenticated by a Remote Authentication
Dial-in User Service (RADIUS) server. When a user attempts to log in, QRadar
Log Manager encrypts the password only, and forwards the user name and
password to the RADIUS server for authentication.
v TACACS authentication - Users are authenticated by a Terminal Access
Controller Access Control System (TACACS) server. When a user attempts to log
in, QRadar Log Manager encrypts the user name and password, and forwards
this information to the TACACS server for authentication. TACACS
Authentication uses Cisco Secure ACS Express® as a TACACS server. QRadar
Log Manager supports up to Cisco Secure ACS Express 4.3.
v Active directory - Users are authenticated by a Lightweight Directory Access
Protocol (LDAP) server that uses Kerberos.
v LDAP - Users are authenticated by a Native LDAP server.

Before you begin

Prerequisite to configuring RADIUS, TACACS, Active Directory, or LDAP as the
authentication type.

Before you can configure RADIUS, TACACS, Active Directory, or LDAP as the
authentication type, you must complete the following tasks:
v Configure the authentication server before you configure authentication in
QRadar Log Manager. For more information, see your server documentation
v Ensure that the server has the appropriate user accounts and privilege levels to
communicate with QRadar Log Manager. For more information, see your server
documentation.
v Ensure that the time of the authentication server is synchronized with the time
of the QRadar Log Manager server. For more information about setting time, see
Chapter 5, “Set up QRadar Log Manager,” on page 51.
v Ensure that all users have appropriate user accounts and roles to allow
authentication with the vendor servers.

Configuring system authentication

You can configure local authentication on your QRadar system.

Chapter 2. User management 13

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration > User Management.
3. Click the Authentication icon.
4. From the Authentication Module list box, select the System Authentication.
5. Click Save.

Configuring RADIUS authentication

You can configure RADIUS authentication on your QRadar system.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration User Management.
3. Click the Authentication icon.
4. From the Authentication Module list box, select RADIUS Authentication.
5. Configure the parameters:
a. In the RADIUS Server field, type the host name or IP address of the
RADIUS server.
b. In the RADIUS Port field, type the port of the RADIUS server.
c. From the Authentication Type list box, select the type of authentication you
want to perform.
Choose from the following options:

Option Description
CHAP Challenge Handshake Authentication
Protocol (CHAP) establishes a Point-to-Point
Protocol (PPP) connection between the user
and the server.
MSCHAP Microsoft Challenge Handshake
Authentication Protocol (MSCHAP)
authenticates remote Windows workstations.
ARAP Apple Remote Access Protocol (ARAP)
establishes authentication for AppleTalk
network traffic.
PAP Password Authentication Protocol (PAP)
sends clear text between the user and the
server.

d. In the Shared Secret field, type the shared secret that QRadar Log Manager
uses to encrypt RADIUS passwords for transmission to the RADIUS server.
6. Click Save.

Configuring TACACS authentication

You can configure TACACS authentication on your QRadar system.

14 QRadar Log Manager Administration Guide

5. Configure the parameters:
a. In the TACACS Server field, type the host name or IP address of the
TACACS server.
b. In the TACACS Port field, type the port of the TACACS server.
c. From the Authentication Type list box, select the type of authentication you
want to perform.
Choose from the following options::

Option Description
ASCII American Standard Code for Information
Interchange (ASCII) sends the user name
and password in clear, unencrypted text.
PAP Password Authentication Protocol (PAP)
sends clear text between the user and the
server. This is the default authentication
type.
CHAP Challenge Handshake Authentication
Protocol (CHAP) establishes a Point-to-Point
Protocol (PPP) connection between the user
and the server.
MSCHAP Microsoft Challenge Handshake
Authentication Protocol (MSCHAP)
authenticates remote Windows workstations.
MSCHAP2 Microsoft Challenge Handshake
Authentication Protocol version 2
(MSCHAP2) authenticates remote Windows
workstations using mutual authentication.
EAPMD5 Extensible Authentication Protocol using
MD5 Protocol (EAPMD5) uses MD5 to
establish a PPP connection.

d. In the Shared Secret field, type the shared secret that QRadar SIEM uses to
encrypt TACACS passwords for transmission to the TACACS server.
6. Click Save.

Configuring Active Directory authentication

You can configure Active Directory authentication on your IBM Security QRadar
system.

Parameter Description
Server URL Type the URL used to connect to the LDAP
server. For example, ldaps://<host>:<port>.
You can use a space-separated list to specify
multiple LDAP servers.

Chapter 2. User management 15

Parameter Description
LDAP Context Type the LDAP context you want to use, for
example, DC=QRADAR,DC=INC.
LDAP Domain Type the LDAP context you want to use, for
example, DC=QRADAR,DC=INC.
LDAP Domain Type the domain that you want to use, for
example qradar.inc.

5. Click Save.

Configuring LDAP authentication

You can configure LDAP authentication on your IBM Security QRadar system.

Before you begin

If you plan to enable the SSL or TLS connection to your LDAP server, you must
import the SSL or TLS certificate from the LDAP server to the
/opt/qradar/conf/trusted_certificates directory on your Console system. For
more information about configuring the SSL certificate, see “Configuring Your SSL
or TLS certificate” on page 17.

Parameter Description
Server URL Type the URL used to connect to the LDAP
server. For example, ldaps://<host>:<port>.
You can use a space-separated list to specify
multiple LDAP servers.
SSL Connection Select True to use Secure Socket Layer (SSL)
encryption to connect to the LDAP server.

If SSL encryption is enabled, the value in the

Server URL field must specify a secure
connection. For example,
ldaps://secureldap.mydomain.com:636".
TLS Authentication From the list box, select True to start
Transport Layer Security (TLS) encryption to
connect to the LDAP server. The default is
True.

TLS is negotiated as part of the normal

LDAP protocol and does not require a
special protocol designation or port in the
Server URL field.

16 QRadar Log Manager Administration Guide

Parameter Description
Search Entire Base Select one of the following options:
v True - Select to search all subdirectories of
the specified Directory Name (DN).
v False -Select to search the immediate
contents of the Base DN. The
subdirectories are not searched.
LDAP User Field Type the user field identifier that you want
to search on, for example, uid. You can use a
comma-separated list to search for multiple
user identifiers.
Base DN Type the base DN for required to perform
searches, for example, DC=IBM,DC=INC.

5. Click Save.

Configuring Your SSL or TLS certificate

If you use LDAP for user authentication and you want to enable SSL or TLS, you
must configure your SSL or TLS certificate.

Procedure
1. Using SSH, log in to your system as the root user.
a. User name: root
b. Password: <password>
2. Type the following command to create the /opt/qradar/conf/
trusted_certificates/ directory:mkdir -p /opt/qradar/conf/
trusted_certificates
3. Copy the SSL or TLS certificate from the LDAP server to the
/opt/qradar/conf/trusted_certificates directory on your system.
4. Verify that the certificate file name extension is .cert, which indicates that the
certificate is trusted. QRadar Log Manager only loads .cert files.

User role parameters

Descriptions for the User Role Management window parameters

The following table provides descriptions for the User Role Management window
parameters.
Table 3.
Parameter Description
User Role Name Type a unique name for the role. The user
role name must meet the following
requirements:

Chapter 2. User management 17

Table 3. (continued)
Parameter Description
Admin
Select this check box to grant the user
administrative access to the user interface.
After you select the Admin check box, all
permissions check boxes are selected by
default. Within the Admin role, you can
grant individual access to the following
Admin permissions:
v Administrator Manager - Select this check
box to allow users to create and edit other
administrative user accounts. If you select
this check box, the System Administrator
check box is automatically selected.
v System Administrator - Select this check
box to allow users to access all areas of
user interface. Users with this access are
not able to edit other administrator
accounts.
Offenses Select this check box to grant the user access
to all Offenses tab function. Within the
Offenses role, you can grant individual
access to the following permissions:
v Assign Offenses to Users - Select this
check box to allow users to assign
offenses to other users.
v Maintain Custom Rules - Select this
check box to allow users to create and
edit custom rules. If you select this check
box, the View Custom Rules check box is
automatically selected.
v Manage Offense Closing Reasons - Select
this check box to allow users to manage
offense closing reasons.
v View Custom Rules - Select this check
box to allow this user role to view custom
rules. This permission, when granted to a
user role that does not also have the
Maintain Custom Rules permission,
allows the user role to view custom rules
details. The user role is not able to create
or edit custom rules.

18 QRadar Log Manager Administration Guide

Table 3. (continued)
Parameter Description
Log Activity
Select this check box to grant the user access
to all Log Activity tab function. Within the
Log Activity role, you can also grant users
individual access to the following
permissions:
v Maintain Custom Rules - Select this
check box to allow users to create or edit
rules that usethe Log Activity tab.
v Manage Time Series - Select this check
box to allow users to configure and view
time series data charts.
v User Defined Event Properties - Select
this check box to allow users to create
custom event properties. For more
information about custom event
properties, see the Users Guide for your
product.
v View Custom Rules - Select this check
box to allow this user role to view custom
rules. This permission, when granted to a
user role that does not also have the
Maintain Custom Rules permission,
allows the user role to view custom rules
details. The user role is not able to create
or edit custom rules.

For more information about the Log Activity

tab, see the Users Guide for your product.
Assets Note: This permission is only displayed if
IBM Security QRadar Vulnerability Manager
is installed on your system.

Select this check box to grant the user access

to all Assets tab function. Within the Assets
role, you can grant individual access to the
following permissions:
v Perform VA Scans - Select this check box
to allow users to complete vulnerability
assessment scans. For more information
about vulnerability assessment, see the
Managing Vulnerability Assessment guide.
v Remove Vulnerabilities - Select this check
box to allow users to remove
vulnerabilities from assets.
v Server Discovery - Select this check box
to allow users to discover servers.
v View VA Data - Select this check box to
allow users access to vulnerability
assessment data. For more information
about vulnerability assessment, see the
Managing Vulnerability Assessment guide.

Chapter 2. User management 19

Table 3. (continued)
Parameter Description
Network Activity
Select this check box to grant the user access
to all Network Activity tab function. Within
the Network Activity role, you can grant
individual access to the following
permissions:
v Maintain Custom Rules - Select this
check box to allow users to create or edit
rules from the Network Activity tab.
v Manage Time Series - Select this check
box to allow users to configure and view
time series data charts.
v User Defined Flow Properties - Select
this check box to allow users to create
custom flow properties.
v View Custom Rules - Select this check
box to allow this user role to view custom
rules. This permission, when granted to a
user role that does not also have the
Maintain Custom Rules permission,
allows the user role to view custom rules
details. The user role is not able to create
or edit custom rules.
v View Flow Content - Select this check box
to allow users access to flow data.

For more information about the Network

Activity tab, see the Users Guide for your
product.
Reports
Select this check box to grant the user access
to all Reports tab function. Within the
Reports role, you can grant users individual
access to the following permissions:
v Distribute Reports via Email - Select this
check box to allow users to distribute
reports through email.
v Maintain Templates - Select this check
box to allow users to edit report
templates.

For more information, see the Users Guide

for your product.
Vulnerability Manager
This option is only available if IBM Security
QRadar Vulnerability Manager is activated.
Select this check box to grant users access to
QRadar Vulnerability Manager function.

For more information, see the IBM Security

QRadar Vulnerability Manager User Guide.
IP Right Click Menu Extensions Select this check box to grant the user access
to options added to the right-click menu.

20 QRadar Log Manager Administration Guide

Security profile parameters
The following table provides descriptions of the Security Profile Management
window parameters:
Table 4. Security Profile Management window parameters
Parameter Description
Security Profile Name Type a unique name for the security profile.
The security profile name must meet the
following requirements:
v Minimum of 3 characters
v Maximum of 30 characters
Description Optional. Type a description of the security
profile. The maximum number of characters
is 255.

User Management window parameters

The following table provides descriptions of User Management window
parameters:
Table 5. User Management window parameters
Parameter Description
Username Displays the user name of this user account.
Description Displays the description of the user account.
E-mail Displays the email address of this user
account.
User Role Displays the user role that is assigned to this
user account. User Roles define what actions
the user has permission to perform.
Security Profile Displays the security profile that is assigned
to this user account. Security Profiles define
what data the user has permission to access.

User management window toolbar

User management window toolbar functions

The following table provides descriptions of the User Management window toolbar
functions:
Table 6. User Management window toolbar functions
Function Description
New Click this icon to create a user account. For
more information about how to create a user
account, see “Creating a user account” on
page 11.
Edit Click this icon to edit the selected user
account. For more information about how to
edit a user account, see “Editing a user
account” on page 11.

Chapter 2. User management 21

Table 6. User Management window toolbar functions (continued)
Function Description
Delete Click this icon to delete the selected user
account. For more information about how to
delete a user account, see “Deleting a user
account” on page 12.
Search Users In this text box, you can type a keyword and
then press Enter to locate a specific user
account.

User Details window parameters

The following table provides descriptions of the User Details window parameters:
Table 7. User Details window parameters
Parameter Description
Username Type a unique user name for the new user.
The user name must contain a maximum of
30 characters.
E-mail Type the user's email address. The email
address must meet the following
requirements:
v Must be a valid email address
v Minimum of 10 characters
v Maximum of 255 characters
Password Type a password for the user to gain access.
The password must meet the following
criteria:
v Minimum of 5 characters
v Maximum of 255 characters
Confirm Password Type the password again for confirmation.
Description Optional. Type a description for the user
account. The maximum number of
characters is 2,048.
User Role From the list box, select the user role that
you want to assign to this user.

To add, edit, or delete user roles, you can

click the Manage User Roles link. For
information on user roles, see “Role
management” on page 5.
Security Profile From the list box, select the security profile
that you want to assign to this user.

To add, edit, or delete security profiles, you

can click the Manage Security Profiles link.
For information on security profiles, see
“Managing security profiles” on page 7.

22 QRadar Log Manager Administration Guide

Chapter 3. Managing the system and licenses
You can manage the licenses, HA, and systems in your deployment.

You must allocate a license for each system in your deployment, including
software appliances.QFlow and Event Collectors do not require a license.

When you install a QRadar system, a default license key provides you with access
to the user interface for five weeks. Before the default license expires, you must
allocate a license key to your system. You can also add licenses to enable QRadar
products, such as QRadar Vulnerability Manager.

There is a 14 day grace period to reallocate a license. You can unlock a license if
the key is uploaded, after a host is patched with a fix, or after an unlock key is
uploaded. After the grace period is passed, the license is locked to the system.

If your license status is Invalid, the license must be replaced. The status might
indicate that your license has been altered without authorization.

A license remains undeployed until you deploy the license change.

System and License Management window overview

You can use the System and License Management window to manage your license
keys, restart or shut down your system, and configure access settings.

The toolbar on the System and License Management window provides the
following functions:
Table 8. System and License Management toolbar functions
Function Description
Allocate License to System Use this function to allocate a license to a
system.

When you select Licenses from the Display

list box, the label on this function changes to
Allocate System to Licenses.

For more information, see “Allocating a

system to a license” on page 33 or
“Allocating a license to a system” on page
29.
Upload License Use this function to upload a license to your
Console. For more information, see
“Uploading a license key” on page 29.

© Copyright IBM Corp. 2007, 2013 23

Table 8. System and License Management toolbar functions (continued)
Function Description
Actions (License) If you select Licenses from the Display list
box in the Deployment Details pane, the
following functions are available on the
Actions menu:
v Revert Allocation - Select this option to
undo license changes. The action reverts
the license to the previous state.

If you select Revert Allocation on a

deployed license within the allocation grace
period, which is 14 days after deployment,
the license state changes to Unlocked so that
you can reallocate the license to another
system.
v Delete License - Select a license from the
list, and then select this option to delete
the license from your system. This option
is not available for undeployed licenses.
v View License - Select a license from the
list, and then select this option to view the
Current License Details window.
v Export Licenses - Select this option to
export the listed licenses to an external
file that you can store on your desktop
system. For more information, see
“Exporting a license” on page 31.

24 QRadar Log Manager Administration Guide

Table 8. System and License Management toolbar functions (continued)
Function Description
Actions (System) If you select Systems from the Display list
box in the Deployment Details pane, the
following functions are available on the
Actions menu:
v View System - Select a system, and then
select this option to view the System
Details window. For more information, see
“Viewing system details” on page 32.
v Add HA Host - Select a system, and then
select this option to add an HA host to
the system to form an HA cluster. For
more information about HA, see the High
Availability Guide for your product.
v Revert Allocation - Select this option to
undo staged license changes. The
configuration reverts to the last deployed
license allocation.

If you select Revert Allocation on a

deployed license within the allocation grace
period, which is 14 days after deployment,
the license state changes to Unlocked so that
you can reallocate the license to another
system.
v Manage System - Select a system, and
then select this option to open the System
Setup window, which you can use to
configure firewall rules, interface roles,
passwords, and system time. For more
information, see “Access setting
management” on page 34.
v Restart Web Server - Select this option to
restart the user interface, when required.
For example, you might be required to
restart your user interface after you install
a new protocol that introduces new user
interface components.
v Shutdown System - Select a system, and
then select this option to shut down the
system. For more information, see
“Shutting down a system” on page 34.
v Restart System - Select a system, and then
select this option to restart the system. For
more information, see “Restarting a
system” on page 33.

The Deployment Details pane provides information about your deployment. You
can expand or collapse the Deployment Details pane.

Chapter 3. Managing the system and licenses 25

Table 9. Deployment Details pane
Parameter Details
Display From this list box, select one of the
following options:
v Licenses - Displays a list of the allocated
and deallocated licenses in your
deployment. From this view, you can
manage your licenses.
v Systems - Displays a list of the host
systems in your deployment. From this
view, you can manage your systems.
Log Source Count Displays the number of log sources that are
configured for your deployment.
Users Displays the number of users that are
configured for your deployment.
Event Limit Displays the total event rate limit your
licenses allow for your deployment.

When you select Systems from the Display list box in the Deployment Details
pane, the System and License Management window displays the following
information:
Table 10. System and License Management window parameters - Systems view.
Parameter Description
Host Name Displays the host name of this system.
Host IP Displays the IP address of this system.
License Appliance Type Displays the appliance type of this system.
Version Displays the version number of the IBM
Security QRadar software that this system
uses.
Serial Number Displays the serial number of this system, if
available.
Host Status Displays the status of this system, if
available.
License Expiration Date Displays the expiration date of the license
that is allocated to this system.

26 QRadar Log Manager Administration Guide

Table 10. System and License Management window parameters - Systems
view (continued).
Parameter Description
License Status Displays the status of the license that is
allocated to this system. Statuses include:
v Unallocated - Indicates that this license is
not allocated to a system.
v Undeployed - Indicates that this license is
allocated to a system, but you have not
deployed the allocation change. This
means that the license is not active in
your deployment yet.
v Deployed - Indicates that this license is
allocated and active in your deployment.
v Unlocked - Indicates that this license has
been unlocked. You can unlock a license if
it has been deployed within the last 10
days. This is the default grace period to
reallocate a license. After the grace period
is passed, the license is locked to the
system. If you must unlock a license after
that period, contact Customer Support.
v Invalid - Indicates that this license is not
valid and must be replaced. This status
may indicate that your license has been
altered without authorization.
Event Rate Limit Displays the event rate limit your license
allows for this system.
Flow Rate Limit Displays the flow rate limit your license
allows for this system.

When you select Licenses from the Display list box in the Deployment Details
pane, theSystem and License Management window displays the following
information:
Table 11. System and License Management window parameters - Licenses view.
Parameter Description
Host Name Displays the host name of the system that is
allocated to this license.
Host IP Displays the IP address of the system that is
allocated to this license.
Appliance Type Displays the appliance type of the system
that is allocated to this license.
License Identity Displays the name of the IBM Security
QRadar product this license provides.

Chapter 3. Managing the system and licenses 27

Table 11. System and License Management window parameters - Licenses
view (continued).
Parameter Description
License Status Displays the status of the license that is
allocated to this system. Statuses include:
v Unallocated - Indicates that this license is
not allocated to a system.
v Undeployed - Indicates that this license is
allocated to a system, but you have not
deployed the allocation change. This
means that the license is not active in
your deployment yet.
v Deployed - Indicates that this license is
allocated and active in your deployment.
v Unlocked - Indicates that this license has
been unlocked. You can unlock a license if
it has been deployed within the last 10
days. This is the default grace period to
reallocate a license. After the grace period
is passed, the license is locked to the
system. If you must unlock a license after
that period, contact Customer Support.
v Invalid - Indicates that this license is not
valid and must be replaced. This status
may indicate that your license has been
altered without authorization.
License Expiration Date Displays the expiration date of this license.
Event Rate Limit Displays the event rate limit your license
allows.
Flow Rate Limit Displays the flow rate limit your license
allows.

License management
You use the options available on the System and License Management window to
manage your license keys.

About this task

A default license key provides you with access to the user interface for five weeks.
You must allocate a license key to your system.

When you initially set up a system, you must complete the following tasks:

Procedure
1. Obtain a license key. Choose one of the following options for assistance with
your license key:
v For a new or updated license key, contact your local sales representative.
v For all other technical issues, contact Customer Support.
2. Upload your license key. When you upload a license key, it is listed in the
System and License Management window, but remains unallocated. For more
information, see “Uploading a license key” on page 29
3. Allocate your license by choosing one of the following options:

28 QRadar Log Manager Administration Guide

v “Allocating a system to a license” on page 33
v “Allocating a license to a system”
4. Deploy your changes. From the Admin tab menu, click Advanced > Deploy
Full Configuration.

Uploading a license key

You must upload a license key to the Console when you install a new QRadar
system, update an expired license, or add a QRadar product, such as QRadar
Vulnerability Manager, to your deployment.

Before you begin

Choose one of the following options for assistance with your license key:
1. For a new or updated license key, contact your local sales representative.
2. For all other technical issues, contact Customer Support.

About this task

If you log in to the user interface and your Console license key expired, you are
automatically directed to the System and License Management window. You must
upload a license key before you can continue. If one of your non-Console systems
includes an expired license key, a message is displayed when you log in indicating
a system requires a new license key. You must access the System and License
Management window to update that license key.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the System and License Management icon.
4. On the toolbar, click Upload License.
5. In the dialog box, click Select File.
6. On the File Upload window, locate and select the license key.
7. Click Open.
8. Click Upload.

Results

The license is uploaded to your Console and is displayed in the System and
License Management window. By default, the license is not allocated.

What to do next

“Allocating a system to a license” on page 33

Allocating a license to a system

Use the options in the System and License Management window to allocate a
license.

Before you begin

Before you begin, you must obtain and upload a license to your Console. See
“Uploading a license key.”

Chapter 3. Managing the system and licenses 29

About this task

License Status displays the status of the license that is allocated to this system.
Statuses include:
v Unallocated - Indicates that this license is not allocated to a system.
v Undeployed - Indicates that this license is allocated to a system, but you have
not deployed the allocation change. This means that the license is not active in
your deployment yet.
v Deployed - Indicates that this license is allocated and active in your deployment.
v Unlocked - Indicates that this license has been unlocked. You can unlock a
license if it has been deployed within the last 14 days. This is the default grace
period to reallocate a license. After the grace period is passed, the license is
locked to the system. If you must unlock a license after that period, contact
Customer Support.
v Invalid - Indicates that this license is not valid and must be replaced. This status
may indicate that your license has been altered without authorization.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the System and License Management icon.
4. From the Display list box, select Licenses.
5. Select an unallocated license.
6. Click Allocate System to License.
7. Optional: To filter the list of licenses, type a keyword in the Upload License
search box.
8. From the list of licenses, select a license.
9. Select a system.
10. Click Allocate License to System.

Reverting an allocation
You can revert an allocated license within the 14 day grace period.

About this task

After you allocate a license to a system and before you deploy your configuration
changes, you can undo the license allocation. When you undo the license
allocation, the license that was last allocated and deployed on the system is
maintained.

Procedure
1. Click theAdmin tab.
2. On the navigation menu, click System Configuration.
3. Click the System and License Management icon.
4. From the Display list box, select Licenses.

30 QRadar Log Manager Administration Guide

5. Select the license that you want to revert.
6. Click Actions > Revert Allocation.

Viewing license details

A license key provides information and enforces the limits and abilities on an IBM
Security QRadar system.

About this task

From the System and License Management window, you can view license details,
such as the number of allowable log sources and the expiration dates.

Note: If you exceed the limit of configured logs sources, an error message is
displayed. If log sources are auto-discovered and your limit is exceeded, they are
automatically disabled. To extend the number of log sources, contact your sales
representative.

What to do next

From the Current License window, you can complete the following tasks:
v Click Upload Licences to upload a license. See Uploading a license key.
v Click Allocate License to System on the toolbar to assign a license. See
Allocating a system to a license.

Exporting a license
Export license key information to a desktop system.

About this task

You can export license key information to an external file on your desktop system.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the System and License Management icon.
4. From the Display list box, select Licenses.
5. From the Actions menu, select Export Licenses.
6. Select one of the following options:
v Open with - Opens the license key data using the selected application.
v Save File - Saves the file to your desktop.
7. Click OK.

Chapter 3. Managing the system and licenses 31

System management
Use the System and License Management window to manage systems in your
deployment.

You use the options available on the System and License Management window to
manage the systems in your deployment. You can view system details, assign a
license to a system, or restart and shut down a system.

Viewing system details

View information about the system, including licenses from the System Details
window.

About this task

Open the System Details window to view information about the system and the
list of licenses that are allocated to the system.

The license list provides the following details for each license that is allocated to
this system:
Table 12. License parameters
Header Header
License Identity Displays the name of the QRadar product
this license provides.
License Status Displays the status of the license that is
allocated to this system. Statuses include:
v Unallocated - Indicates that this license is
not allocated to a system.
v Undeployed - Indicates that this license is
allocated to a system, but you have not
deployed the allocation change. This
means that the license is not active in
your deployment yet.
v Deployed - Indicates that this license is
allocated and active in your deployment.
v Unlocked - Indicates that this license has
been unlocked. You can unlock a license if
it has been deployed within the last 10
days. This is the default grace period to
reallocate a license. After the grace period
is passed, the license is locked to the
system. If you need to unlock a license
after that period, contact Customer
Support.
v Invalid - Indicates that this license is not
valid and must be replaced. This status
may indicate that your license has been
altered without authorization.
License Appliance Types Displays the appliance type that this license
is valid for.
License Expiration Date Displays the expiration date of this license.
Event Rate Limit Displays the event rate limit this license
allows.

32 QRadar Log Manager Administration Guide

What to do next

From the system details window, you can complete the following tasks:
v Select a license and click View License. See “Viewing license details” on page
31.
v Click Upload Licences to upload a license. See “Uploading a license key” on
page 29.
v Click Allocate License to System on the toolbar to assign a license. See
“Allocating a system to a license.”

Allocating a system to a license

After you obtain and upload a license, use the options in the System and License
Management window to allocate a license.

You can allocate multiple licenses to a system. For example, in addition to the IBM
Security QRadar SIEM, you can allocate IBM Security QRadar Risk Manager, and
IBM Security QRadar Vulnerability Manager to your QRadar Console system.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the System and License Management icon.
4. From the Display list box, select Systems.
5. Select an available system.
6. Click Allocate License to System.
7. Optional: To filter the list of licenses, type a keyword in the Upload License
search box.
8. From the list of licenses, select a license.
9. Select a system.
10. Click Allocate License to System.

Restarting a system
Use the Restart System option on the System and License Management window to
restart a system in your deployment.

About this task

Data collection stops while the system is shutting down and restarting.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the System and License Management icon.

Chapter 3. Managing the system and licenses 33

4. From the Display list box, select Systems.
5. Select the system that you want to restart.
6. From the Actions menu, select Restart System.

Shutting down a system

Use the Shutdown option on the System and License Management window to shut
down a system.

About this task

Data collection stops while the system is shutting down.

Exporting system details

About this task

Use the Export Systems option on the System and License Management window
to export system information to an external file on your desktop system.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the System and License Management icon.
4. From the Display list box, select Systems.
5. From the Actions menu, select Export Systems.
6. Select one of the following options:
v Open with - Opens the license key data by using the selected application.
v Save File - Saves the file to your desktop.
7. Click OK.

Access setting management

You can use the System Setup window to configure firewall rules, interface roles,
passwords, and system time.

If you require network configuration changes, such as an IP address change, to

your Console and non-Console systems after your deployment is initially installed,
you must use the qchange_netsetup utility to make these changes. For more
information about network settings, see the Installation Guide for your product.

34 QRadar Log Manager Administration Guide

Configuring firewall access
You can configure local firewall access to enable communications between devices
and IBM Security QRadar. Also, you can define access to the System Setup
window.

About this task

Only the listed managed hosts that are listed in the Device Access box have access
to the selected system. For example, if you enter one IP address, only that IP
address is granted access to the Console. All other managed hosts are blocked.

Option Description
Device Access In the Device Access box, include any IBM
systems that you want to access to this
managed host. Only the listed managed
hosts have access. For example, if you enter
one IP address, only that IP address is
granted access to the managed host. All
other managed hosts are blocked.
IP Address Type the IP address of the managed host
you want to have access.
Protocol Select the protocol that you want to enable
access for the specified IP address and port.
Options include:
v UDP - Allows UDP traffic.
v TCP - Allows TCP traffic.
v Any - Allows any traffic.
Port Type the port on which you want to enable
communications.

10. Click Allow.

11. Configure the following System Administration Web Control parameter:

Chapter 3. Managing the system and licenses 35

Table 13. System administration web control parameter
Parameter Description
IP Address
Type the IP addresses of managed hosts that
you want to allow access to the System
Setup window in the IP Address field. Only
listed IP addresses have access to the user
interface. If you leave the field blank, all IP
addresses have access.

Make sure that you include the IP address of

your client desktop you want to use to
access the user interface. Failing to do so
might affect connectivity.

12. Click Allow .

13. Click Apply Access Controls .
14. Wait for the System Setup window to refresh before you continue to another
task.

Updating your host setup

You can use the System Setup window to configure the mail server you want to
use and the global password for all systems in your QRadar deployment.

About this task

The global configuration password does not accept special characters. The global
configuration password must be the same throughout your deployment. If you edit
this password, you must also edit the global configuration password on all systems
in your deployment.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the System and License Management icon.
4. From the Display list box, select Systems.
5. Select the host for which you want to update your host setup settings.
6. From the Actions menu, select Manage System.
7. Log in to the System Setup window. The default is:
a. User Name: root
b. Password: <password>
The user name and password are case-sensitive.
8. From the menu, select Managed Host Config > QRadar Setup.
9. In the Mail Server field, type the address for the mail server you want to use.
QRadar Log Manager uses this mail server to distribute alerts and event
messages. To use the mail server that QRadar Log Manager provides, type
localhost.
10. In the Enter the global configuration password, type the password that you
want to use to access the host. Type the password again for confirmation.
11. Click Apply Configuration.

36 QRadar Log Manager Administration Guide

Configuring interface roles
You can assign specific roles to the network interfaces on each managed host.

Before you begin

For assistance with determining the appropriate role for each interface, contact
Customer Support.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the System and License Management icon.
4. From the Display list box, select Systems.
5. Select the host for which you want to configure interface role settings.
6. From the Actions menu, select Manage System.
7. Log in to the System Setup window. The default is:
a. User Name: root
b. Password: <password>
The user name and password are case-sensitive.
8. From the menu, select Managed Host Config > Network Interfaces.
9. For each listed network interface, select the role that you want to assign to the
interface from the Role list box.
10. Click Save Configuration.
11. Wait for the System Setup window to refresh before you continue.

Changing passwords
You can change the root password for your system.

Before you begin

When you change a password, make sure that you record the entered values. The
root password does not accept the following special characters: apostrophe ('),
dollar sign ($), exclamation mark (!).

Chapter 3. Managing the system and licenses 37

a. New Root Password - Type the root password necessary to access the
System Setup window.
b. Confirm New Root Password - Type the password again for
confirmation.
10. Click Update Password.

Time server configuration

You can configure your time server to use an RDATE server or you can manually
configure your time server.
System time overview

All system time changes must be made within the System Time page. You can
change the system time on the host that operates the Console. The change is then
distributed to all managed hosts in your deployment.

You are able to change the time for the following options:
v System time
v Hardware time
v Time Zone
v Time Server

Configuring your time server using RDATE

Use the Time server sync tab to configure your time server using RDATE.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the System and License Management icon.
4. From the Display list box, select Systems.
5. Select the host for which you want to configure system time settings.
6. From the Actions menu, select Manage System.
7. Log in to the System Setup window. The default is:
a. User Name: root
b. Password: <password>
The user name and password are case-sensitive.
8. From the menu, select Managed Host Config > System Time.
9. Configure the time zone:
a. Click the Change time zone tab.
b. From the Change timezone to list box, select the time zone in which this
managed host is located.
c. Click Save.
10. Configure the time server:
a. Click the Time server sync tab.
Configure the following parameters:

38 QRadar Log Manager Administration Guide

Table 14. Time server parameters
Parameter Description
Timeserver hostnames or addresses Type the time server host name or IP
address.
Set hardware time too Select this check box if you want to set the
hardware time.
Synchronize on schedule? Select one of the following options:
v No - Select this option if you do not want
to synchronize the time. Go to step c.
v Yes - Select this option if you want to
synchronize the time.
Simple Schedule Select this option if you want the time
update to occur at a specific time. After you
select this option, select a simple schedule
from the list box.
Times and dates are selected below Select this option to specify time you want
the time update to occur. After you select
this option, select the times and dates in the
list boxes.

11. Click Sync and Apply .

Manually configuring time settings for your system

Use the options on the Set time and Change timezone tabs to manually configure
your time settings.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the System and License Management icon.
4. From the Display list box, select Systems.
5. Select the host for which you want to configure system time settings.
6. From the Actions menu, select Manage System.
7. Log in to the System Setupwindow. The default is:
a. User Name: root
b. Password: <password>
The user name and password are case-sensitive.
8. From the menu, select Managed Host Config > System Time.
9. Click the Set time tab.
The Set Time page is divided into tabs. You must save each setting before you
continue. For example, when you configure system time, you must click
Apply in the System Time pane before you continue.
10. Set the system time:
a. Choose one of the following options:
v In the System Time pane, using the list boxes, select the current date
and time you want to assign to the managed host.
v Click Set system time to hardware time.
b. Click Apply.
11. Set the hardware time:

Chapter 3. Managing the system and licenses 39

a. Choose one of the following options:
v In the Hardware Time pane, using the list boxes, select the current date
and time you want to assign to the managed host.
v Click Set hardware time to system time.
b. Click Save.
12. Configure the time zone:
a. Click the Change time zone tab.
b. From the Change Timezone To list box, select the time zone in which this
managed host is located.
c. Click Save.

40 QRadar Log Manager Administration Guide

Chapter 4. User information source configuration
Configure your IBM Security QRadar system to collect user and group information
from Identity and Access Management endpoints

IBM Security QRadar Log Manager uses the information that is collected from the
endpoints to enrich the user information that is associated with the traffic and
events that occur on your network.

IBM Security QRadar Network Anomaly Detection uses the information that is
collected from the endpoints to enrich the user information that is associated with
the traffic and events that occur on your network.

User information source overview

You can configure a user information source to enable user information collection
from an Identity and Access Management endpoint.

An Identity and Access Management endpoint is a product that collects and

manages electronic user identities, group memberships, and access permissions.
These endpoints are called user information sources.

Use the following utilities to configure and manage user information sources:
v Tivoli Directory Integrator- You must install and configure a Tivoli® Directory
Integrator on a non-QRadar host.
v UISConfigUtil.sh - Use this utility to create, retrieve, update, or delete user
information sources. You can use user information sources to integrate QRadar
Log Manager using a Tivoli Directory Integrator server.
v GetUserInfo.sh - Use this utility to collect user information from a user
information source and store the information in a reference data collection. You
can use this utility to collect user information on demand or on a schedule.

User information sources

A user information source is a configurable component that enables
communication with an endpoint to retrieve user and group information.

QRadar systems support the following user information sources:

© Copyright IBM Corp. 2007, 2013 41

Table 15. Supported information sources
Information Source Information that is collected
®
Microsoft Windows Active Directory (AD), v full_name
version 2008 - Microsoft Windows AD is a
v user_name
directory service that authenticates and
authorizes all users and computers that use v user_principal_name
your Windows network. v family_name
v given_name
v account_is_disabled
v account_is_locked
v password_is_expired
v password_can_not_be_changed
v no_password_expired
v password_does_not_expire
IBM Security Access Manager (ISAM), v name_in_rgy
version 7.0 - ISAM is an authentication and
v first-name
authorization solution for corporate web,
client/server, and existing applications. For v last-name
more information, see your IBM Security v account_valid
Access Manager (ISAM) documentation. v password_valid
IBM Security Identity Manager (ISIM), v Full name
version 6.0 - ISIM provides the software and
v DN
services to deploy policy-based provisioning
solutions. This product automates the
process of provisioning employees,
contractors, and IBM Business Partners with
access rights to the applications they need,
whether in a closed enterprise environment
or across a virtual or extended enterprise.
For more information, see your IBM Security
Integration Manager (ISIM) documentation.

Reference data collections for user information

This topic provides information about how reference data collections store data
collected from user information sources.

When QRadar Log Manager collects information from a user information source, it
automatically creates a reference data collection to store the information. The name
of the reference data collection is derived from the user information source group
name. For example, a reference data collection that is collected from Microsoft
Windows AD might be named Domain Admins.

The reference data collection type is a Map of Maps. In a Reference Map of Maps,
data is stored in records that map one key to another key, which is then mapped to
a single value.

For example:
v #
v # Domain Admins
v # key1,key2,data
v smith_j,Full Name,John Smith
v smith_j,account_is_disabled,0

42 QRadar Log Manager Administration Guide

v smith_j,account_is_locked
v smith_j,password_does_not_expire,1

For more information about reference data collections, see the Reference Data
Collections Technical Note.

Integration workflow example

After user and group information is collected and stored in a reference data
collection, there are many ways in which you can use the data in IBM Security
QRadar Log Manager.

You can create meaningful reports and alerts that characterize user adherence to
your company's security policies.

Consider the following example:

To ensure activities that are performed by privileged ISIM users comply with your
security policies, you can complete the following tasks:

Create a log source to collect and parse audit data for each ISIM server from which
the logs are collected. For more information about how to create a log source, see
the Managing Log Sources Guide.
1. Create a user information source for the ISIM server and collect ISIM
Administrators user group information. This step creates a reference data
collection that is called ISIM Administrators. See “Creating a user information
source” on page 46.
2. Configure a building block to test for events in which the source IP address is
the ISIM server and the user name is listed in the ISIM administrator reference
data collection. For more information about building blocks, see the User Guide
for your product.
3. Create an event search that uses the custom building block as a filter. For more
information about event searches, see the User Guide for your product.
4. Create a custom report that uses the custom event search to generate daily
reports on the audit activity of the privileged ISIM users. These generated
reports indicate whether any ISIM administrator activity breaches your security
policy. For more information about reports, see the User Guide for your product.

Note: If you want to collect application security logs, you must create a Device
Support Module (DSM). For more information, see the IBM Security QRadar DSM
Configuration Guide.

User information source configuration and management task

overview
To initially integrate user information sources, you must perform the following
tasks:
1. Configure a Tivoli Directory Integrator server. See “Configuring the Tivoli
Directory Integrator server” on page 44.
2. Create and manage user information sources. See “Creating and managing user
information source” on page 46.
3. Collect user information. See “Collecting user information” on page 49.

Chapter 4. User information source configuration 43

Configuring the Tivoli Directory Integrator server
For QRadar Log Manager to integrate with user information sources, you must
install and configure a Tivoli Directory Integrator on a non-QRadar host.

About this task

No configuration is required on your system; however, you must access your

Console to obtain the QRadarIAM_TDI.zip file. Then, install and configure a Tivoli
Directory Integrator server on a separate host. If necessary, you must also create
and import a self-signed certificate.

When you extract the QRadarIAM_TDI.zip file on the Tivoli Directory Integrator
server, the TDI directory is automatically created. The TDI directory includes the
following files:
v QradarIAM.sh, which is the TDI start up script for Linux
v QradarIAM.bat, which is the TDI start up script for Microsoft Windows
v QradarIAM.xml, which is the TDI xml script and must be stored in the same
location as the QradarIAM.properties file
v QradarIAM.properties, which is the properties file for TDI xml script

When you install Tivoli Directory Integrator, you must configure a name for the
Solutions directory. This task requires you to access the Solutions directory.
Therefore, in the task steps, <solution_directory> refers to the name that you
gave to the directory.

The following parameters are used to create and import certificates:

Table 16. Certification configuration parameters
Parameter Description
<server_ip_address> Defines the IP address of the Tivoli
Directory Integrator server.
<days_valid> Defines the number of days that the
certificate is valid.
<keystore_file> Defines the name of the keystore file.
-storepass <password> Defines the password for keystore.
- keypass <password> Defines the password for the private/public
key pair.
<alias> Defines the alias for an exported certificate.
<certificate_file> Defines the file name of the certificate.

Procedure
1. Install Tivoli Directory Integrator on a non-QRadarhost. For more information
on how to install and configure Tivoli Directory Integrator, see your Tivoli
Directory Integrator (TDI) documentation.
2. Using SSH, log in to your Console as the root user.
a. User name: root
b. Password: <password>
3. Copy the QRadarIAM_TDI.zip file to the Tivoli Directory Integrator server.

44 QRadar Log Manager Administration Guide

4. On the Tivoli Directory Integrator server, extract the QRadarIAM_TDI.zip file in
the Solutions directory.
5. Configure your Tivoli Directory Integrator server to integrate with QRadar.
a. Open the Tivoli Directory Integrator <solution_directory>/
solution.properties file.
b. Uncomment the com.ibm.di.server.autoload property. If this property is
already uncommented, note the value of the property.
c. Choose one of the following options:
v Change directories to the autoload.tdi directory, which contains the
com.ibm.di.server.autoload property by default.
v Create an autoload.tdi directory in the <solution_directory> to store the
com.ibm.di.server.autoload property.
d. Move the TDI/QRadarIAM.xml and TDI/QRadarIAM.property files from
the Tivoli Directory Integrator directory to <solution_directory>/
autoload.tdi directory or the directory you created in the previous step.
e. Move the QradarIAM.bat and QradarIAM.sh scripts from the Tivoli
Directory Integrator directory to the location from which you want to start
the Tivoli Directory Integrator.
6. If certificate-based authentication is required for your system to authenticate
to the Tivoli Directory Integrator, select one of the following options:
v To create and import a self-signed certificate, see Step 7.
v To import a CA certificate, see Step 8.
7. Create and import the self-signed certificate into the Tivoli Directory
Integrator truststore.
a. To generate a keystore and a private/public key pair, type the following
command:
v keytool -genkey -dname cn=<server_ip_address> -validity
<days_valid> -keystore <keystore_file> -storepass <password> -
keypass <password>
v For example, keytool -genkey -dname cn=192.168.1.1 -validity 365
-keystore server.jks -storepass secret -keypass secret
b. To export the certificate from the keystore, type the following command:
v keytool -export -alias <alias> -file <certificate_file> -
keystore <keystore_file> - storepass <password>
v For example, keytool -export -alias mykey -file server.cert
-keystore server.jks -storepass secret
c. To import the primary certificate back into the keystore as the self-signed
CA certificate, type the following command:
v keytool -import -trustcacerts -file <certificate_file> -keystore
<keystore_file> -storepass <password> -alias <alias>.
v For example, keytool -import -trustcacerts -file server.cert
-keystore server.jks -storepass secret -alias mytrustedkey
d. Copy the certificate file to the /opt/qradar/conf/trusted_certificates on
the QRadar SIEM Console.
8. Import the CA certificate into the Tivoli Directory Integrator truststore.
a. To import the CA certificate into the keystore as the self-signed CA
certificate, type the following command:
v keytool -import -trustcacerts -file <certificate_file> -keystore
<keystore_file> -storepass <password> -alias <alias>.

Chapter 4. User information source configuration 45

v For example, keytool -import -trustcacerts -file server.cert
-keystore server.jks -storepass secret -alias mytrustedkey
b. Copy the CA certificate file to the /opt/qradar/conf/trusted_certificates
on the QRadar SIEM Console.
9. Edit the <solution_directory>/solution.properties file to uncomment and
configure the following properties:
v javax.net.ssl.trustStore=<keystore_file>
v {protect}-javax.net.ssl.trustStorePassword=<password>
v javax.net.ssl.keyStore=<keystore_file>
v {protect}-javax.net.ssl.keyStorePassword=<password>

Note: The default current, unmodified password might be displayed in the

following format: {encr}EyHbak. Enter the password as plain text. The
password is encryps the first time that you start Tivoli Directory Integrator.
10. Use one of the following scripts to start the Tivoli Directory Integrator:
v QradarIAM.sh for Linux
v QradarIAM.bat for Microsoft windows

Creating and managing user information source

Use the UISConfigUtli utility to create, retrieve, update, or delete user information
sources.

Creating a user information source

Use the UISConfigUtli utility to create a user information source.

Before you begin

Before you create a user information source, you must install and configure your
Tivoli Directory Integrator server. For more information, see “Configuring the
Tivoli Directory Integrator server” on page 44.

About this task

When you create a user information source, you must identify the property values
required to configure the user information source. The following table describes the
supported property values:
Table 17. Supported user interface property values
Header Header
tdiserver Defines the host name of the Tivoli Directory
Integrator server.
tdiport Defines the listening port for the HTTP
connector on the Tivoli Directory Integrator
server.
hostname Defines the host name of the user
information source host.

46 QRadar Log Manager Administration Guide

Table 17. Supported user interface property values (continued)
Header Header
port Defines the listening port for the Identity
and Access Management registry on the user
information host.
username Defines the user name that QRadar Log
Manager uses to authenticate to the Identity
and Access Management registry.
password Defines the password that is required to
authenticate to the Identity and Access
Management registry.
searchbase Defines the base DN.
search filter Defines the search filter that is required to
filter the user information that is retrieved
from the Identity and Access Management
registry.

Procedure
1. Using SSH, log in to your Console as the root user.
a. User name: root
b. Password: <password>
2. To add a user information source, type the following command:
UISConfigUtil.sh add <name> -t <AD|ISAM|ISIM|ISFIM> [-d description] [-p
prop1=value1,prop2=value2...,propn=valuen]
Where:
v <name> Is the name of the user information source you want to add.
v <AD|ISAM|ISIM|ISFIM> Indicates the user information source type.
v [-d description] Is a description of the user information source. This
parameter is optional.
v [-p prop1=value1,prop2=value2,...,propn=valuen] Identifies the property
values required for the user information source. For more information about
the supported parameters, see “Creating a user information source” on page
46.
For example:
v /UISConfigUtil.sh add "UIS_ISIM" -t ISIM -d "UIS for ISIM" -p
"tdiserver=nc9053113023.tivlab.austin.ibm.com,tdiport=8080,hostname=vmibm7094.ottawa.ibm.com,port=389,username=cn=root,password=p

Retrieving user information sources

Use the UISConfigUtli utility to retrieve user information sources.

Procedure
1. Using SSH, log in to your Console as the root user.
a. User name: root
b. Password: <password>
2. Choose one of the following options:
a. Type the following command to retrieve all user information sources:
UISConfigUtil.sh get <name>
b. Type the following command to retrieve a specific user information source:
UISConfigUtil.sh get <name>

Chapter 4. User information source configuration 47

Where <name> is the name of the user information source you want to
retrieve.
For example:
[root@vmibm7089 bin]# .UISConfigUtil.sh get "UIS_AD"

Editing a user information source

Use the UISConfigUtli utility to edit a user information source.

Procedure
1. Using SSH, log in to your Console as the root user.
a. User name: root
b. Password: <password>
2. Type the following command to edit a user information source:
UISConfigUtil.sh update <name> -t <AD|ISAM|ISIM|ISFIM> [-d description]
[-p prop1=value1,prop2=value2,...,propn=valuen]
Where:
v <name> Is the name of the user information source you want to edit.
v <AD|ISAM|ISIM|ISFIM> Indicates the user information source type. To update
this parameter, type a new value.
v [-d description] Is a description of the user information source. This
parameter is optional. To update this parameter, type a new description.
v [-p prop1=value1,prop2=value2,...,propn=valuen] Identifies the property
values required for the user information source. To update this parameter,
type new properties. For more information about the supported parameters,
see “Creating a user information source” on page 46.
For example:
./UISConfigUtil.sh update "UIS_AD_update" -t AD -d "UIS for AD" -p
"searchbase=DC=local"

Deleting a user information source

Use the UISConfigUtli utility to edit a user information source.

Procedure
1. Using SSH, log in to your Console as the root user.
a. User name: root
b. Password: <password>
2. Type the following command to delete a user information source:
UISConfigUtil.sh delete <name>
Where <name> is the name of the user information source you want to delete.

What to do next

The collected user information is stored in a reference data collection on the IBM
Security QRadar SIEMdatabase. If no reference date collection exists, a new
reference data collection is created. If a reference data collection was previously
created for this user information source, the reference map is purged of previous
data and the new user information is stored. For more information about reference
data collections, see Reference data collections for user information.

48 QRadar Log Manager Administration Guide

Collecting user information
Use the GetUserInfo utility to collect user information from the user information
sources and store the data in a reference data collection.

About this task

Use this task to collect user information on demand. If you want to create
automatic user information collection on a schedule, create a cron job entry. For
more information about cron jobs, see your Linux documentation.

Procedure
1. Using SSH, log in to your Console as the root user.
a. User name: root
b. <password>
2. Type the following command to collect user information on demand:
GetUserInfo.sh <UISName>
Where <UISName> is the name of the user information source you want to
collect information from.

What to do next

The collected user information is stored in a reference data collection on the

database. If no reference date collection exists, a new reference data collection is
created. If a reference data collection was previously created for this user
information source, the reference map is purged of previous data and the new user
information is stored. For more information about reference data collections, see
“Reference data collections for user information” on page 42.

Chapter 4. User information source configuration 49

50 QRadar Log Manager Administration Guide
Chapter 5. Set up QRadar Log Manager
Use the features on the Admin tab to set up IBM Security QRadar Log Manager.

You can configure your network hierarchy, automatic updates, system settings,
event retention buckets, system notifications, console settings, and index
management.

Network hierarchy
QRadar uses the network hierarchy to understand your network traffic and
provide you with the ability to view activity for your entire deployment.

When you develop your network hierarchy, consider the most effective method for
viewing network activity. The network hierarchy does not need to resemble the
physical deployment of your network. QRadar supports any network hierarchy
that can be defined by a range of IP addresses. You can base your network on
many different variables, including geographical or business units.

When you define your network hierarchy, you must consider the systems, users,
and servers that can be grouped.

You can group systems and user groups that have similar behavior. However, do
not group a server that has unique behavior with other servers on your network.
Placing a unique server alone provides the server greater visibility in QRadar, and
you can manage specific policies.

Within a group, you can place servers with high volumes of traffic, such as mail
servers, at the top of the group. This hierarchy provides you with a visual
representation when a discrepancy occurs.

If your deployment processes more than 600,000 flows, then you can create
multiple top-level groups.

You can organize your systems and networks by role or similar traffic patterns. For
example, mail servers, departmental users, labs, or development groups. Using this
organization, you can differentiate network behavior and enforce network
management security policies.

Large network groups can cause you difficulty when you view detailed
information for each object. Do not configure a network group with more than 15
objects.

Combine multiple Classless Inter-Domain Routings (CIDRs) or subnets into a

single network group to conserve disk space. For example:
Table 18. Example of multiple CIDRs and subnets in a single network group
Group Description IP addresses
1 Marketing 10.10.5.0/24
2 Sales 10.10.8.0/21

© Copyright IBM Corp. 2007, 2013 51

Table 18. Example of multiple CIDRs and subnets in a single network group (continued)
Group Description IP addresses
3 Database Cluster 10.10.1.3/32

10.10.1.4/32

10.10.1.5/32

Add key servers as individual objects and group other major but related servers
into multi-CIDR objects.

Define an all-encompassing group so when you define new networks, the

appropriate policies, and behavioral monitors are applied. For example:
Table 19. Example of an all-encompassing group
Group Subgroup IP address
Cleveland Cleveland miscellaneous 10.10.0.0/16
Cleveland Cleveland Sales 10.10.8.0/21
Cleveland Cleveland Marketing 10.10.1.0/24

If you add a network to the example, such as 10.10.50.0/24, which is an HR

department, the traffic displays as Cleveland-based and any rules you apply to the
Cleveland group are applied by default.

Acceptable CIDR values

QRadar accepts specific CIDR values.

The following table provides a list of the CIDR values that QRadar accepts:
Table 20. Acceptable CIDR values
Number of
CIDR Length Mask Networks Hosts
/1 128.0.0.0 128 A 2,147,483,392
/2 192.0.0.0 64 A 1,073,741,696
/3 224.0.0.0 32 A 536,870,848
/4 240.0.0.0 16 A 268,435,424
/5 248.0.0.0 8A 134,217,712
/6 252.0.0.0 4A 67,108,856
/7 254.0.0.0 2A 33,554,428
/8 255.0.0.0 1A 16,777,214
/9 255.128.0.0 128 B 8,388,352
/10 255.192.0.0 64 B 4,194,176
/11 255.224.0.0 32 B 2,097,088
/12 255.240.0.0 16 B 1,048,544
/13 255.248.0.0 8B 524,272
/14 255.252.0.0 4B 262,136
/15 255.254.0.0 2B 131,068

52 QRadar Log Manager Administration Guide

Table 20. Acceptable CIDR values (continued)
Number of
CIDR Length Mask Networks Hosts
/16 255.255.0.0 1B 65,534
/17 255.255.128.0 128 C 32,512
/18 255.255.192.0 64 C 16,256
/19 255.255.224.0 32 C 8,128
/20 255.255.240.0 16 C 4,064
/21 255.255.248.0 8C 2,032
/22 255.255.252.0 4C 1,016
/23 255.255.254.0 2C 508
/24 255.255.255.0 1C 254
/25 255.255.255.128 2 subnets 124
/26 255.255.255.192 4 subnets 62
/27 255.255.255.224 8 subnets 30
/28 255.255.255.240 16 subnets 14
/29 255.255.255.248 32 subnets 6
/30 255.255.255.252 64 subnets 2
/31 255.255.255.254 none none
/32 255.255.255.255 1/256 C 1

For example, a network is called a supernet when the prefix boundary contains
fewer bits than the natural (or classful) mask of the network. A network is called a
subnet when the prefix boundary contains more bits than the natural mask of the
network:
v 209.60.128.0 is a class C network address with a mask of /24.
v 209.60.128.0 /22 is a supernet that yields:
– 209.60.128.0 /24
– 209.60.129.0 /24
– 209.60.130.0 /24
– 209.60.131.0 /24
v 192.0.0.0 /25
Subnet Host Range
0 192.0.0.1-192.0.0.126
1 192.0.0.129-192.0.0.254
v 192.0.0.0 /26
Subnet Host Range
0 192.0.0.1 - 192.0.0.62
1 192.0.0.65 - 192.0.0.126
2 192.0.0.129 - 192.0.0.190
3 192.0.0.193 - 192.0.0.254
v 192.0.0.0 /27
Subnet Host Range
0 192.0.0.1 - 192.0.0.30

Chapter 5. Set up QRadar Log Manager 53

1 192.0.0.33 - 192.0.0.62
2 192.0.0.65 - 192.0.0.94
3 192.0.0.97 - 192.0.0.126
4 192.0.0.129 - 192.0.0.158
5 192.0.0.161 - 192.0.0.190
6 192.0.0.193 - 192.0.0.222
7 192.0.0.225 - 192.0.0.254
Related tasks:
“Defining your network hierarchy”
Use the Network Views window to define your network hierarchy.

Defining your network hierarchy

Use the Network Views window to define your network hierarchy.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click Network Hierarchy.
4. From the menu tree on the Network Views window, select the area of the
network in which you want to add a network object.
5. Click Add.
6. From Group list, select the group in which you want to add the new network
object.
7. Optional: Click Add Group to create a new group.
8. Type a unique name for the object.
9. Type or select the weight of the object. The range is 0 - 100 and indicates the
importance of the object in the system.
10. Type the CIDR range for this object and click Add.
11. Type a description for this network object.
12. Click Select Color and select a color for this object.
13. Select the database length.
14. Click Save.
15. Repeat for all network objects.
16. Optional: Click Re-Order and organize the network objects.
Related concepts:
“Acceptable CIDR values” on page 52
QRadar accepts specific CIDR values.

Automatic updates
You can automatically or manually update your configuration files to ensure that
your configuration files contain the latest network security information.

QRadar uses system configuration files to provide useful characterizations of

network data flows.

The Console must be connected to the Internet to receive the updates. If your
Console is not connected to the Internet, you must configure an internal update
server for your Console to download the files from.

54 QRadar Log Manager Administration Guide

Update files are available for manual download from the following website:

http://www.ibm.com/support/fixcentral/

Update files can include the following updates:

v Configuration updates, which include configuration file changes, vulnerability,
QID map, and security threat information updates.
v DSM updates, which include corrections to parsing issues, scanner changes, and
protocol updates.
v Major updates, which include items such as updated JAR files.
v Minor updates, which include items such as more Online Help content or
updated scripts.

To maintain the integrity of your current configuration and information, either

replace your existing configuration files or integrate the updated files with your
existing files.

After you install updates on your Console and deploy your changes, the Console
updates its managed hosts if your deployment is defined in your deployment
editor. For more information about the deployment editor, see Chapter 9,
“Deployment editor,” on page 103.

CAUTION:
You must build your system and event views in the deployment editor before
you configure automatic or manual updates. Otherwise, your managed hosts are
not updated.

Automatic updates for high availability deployments

When you update your configuration files on a primary host and deploy your
changes, the updates are automatically made on the secondary host. If you do not
deploy your changes, the updates are made on the secondary host through an
automated process that runs hourly.
Related concepts:
“Set up a QRadar update server” on page 60
If your deployment includes a QRadar Console that is unable to access the Internet
or you want to manually manage updates to your system, you can set up a
QRadar update server to manage the update process.

Viewing pending updates

Your system is preconfigured for weekly automatic updates. You can view the
pending updates in the Updates window.

About this task

Your system needs to be operational long enough to retrieve the weekly updates. If
no updates are displayed in the Updates window, either your system has not been
in operation long enough to retrieve the weekly updates or no updates have been
issued. If this occurs, you can manually check for new updates. For more
information about checking for new updates, see “Checking for new updates” on
page 58.

The Check for Updates toolbar provides the following functions:

Chapter 5. Set up QRadar Log Manager 55

Table 21. Check for Updates toolbar functions
Function Description
Hide Select one or more updates, and then click
Hide to remove the selected updates from
the Check for Updates page. You can view
and restore the hidden updates on the
Restore Hidden Updates page. For more
information, see “Restoring hidden updates”
on page 59.
Install You can manually install updates. When you
manually install updates, the installation
process starts within a minute. For more
information, see“Manually installing
automatic updates” on page 59.
Schedule You can configure a specific date and time to
manually install selected updates on your
Console. Scheduling is useful when you
want to schedule the update installation
during off-peak hours. For more
information, see “Scheduling an update” on
page 58.
Unschedule You can remove preconfigured schedules for
manually installing updates on your
Console. For more information,
see“Scheduling an update” on page 58.
Search By Name You can locate a specific update by name.
Next Refresh This counter displays the amount of time
until the next automatic refresh. The list of
updates on the Check for Updates page
automatically refreshes every 60 seconds.
The timer is automatically paused when you
select one or more updates.
Pause Pauses the automatic refresh process. To
resume automatic refresh, click Play.
Refresh Refreshes the list of updates.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click Auto Update.
4. To view details on an update, select the update.

Configuring automatic update settings

You can customize the automatic update settings to change the frequency, update
type, server configuration, and backup settings.

About this task

You can select the Auto Deploy to automatically deploy updates. If Auto Deploy
is not selected, then you must manually deploy changes, from the Dashboard tab,
after updates are installed.

56 QRadar Log Manager Administration Guide

You can select Auto Restart Service to allow automatic updates that require the
user interface to restart. A user interface disruption occurs when the service
restarts. Alternatively, you can manually install the updated from the Check for
Updates window.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click Auto Update.
4. On the navigation menu, click Change Settings.
5. On the Basic tab, select the schedule for updates.
6. In the Configuration Updates section, select the method that you want to use
for updating your configuration files.
7. In the DSM, Scanner, Protocol Updates section, select an option to install
updates.
8. In the Major Updates section, select an option for receiving major updates for
new releases.
9. In the Minor updates section, select an option for receiving patches for minor
system issues.
10. Select the Auto Deploy check box if you want to deploy update changes
automatically after updates are installed.
11. Select the Auto Restart Service check box if you want to restart the user
interface service automatically after updates are installed.
12. Click the Advanced tab.
13. In Web Serverfield, type the web server from which you want to obtain the
updates. The default web server is http://www.ibm.com/support/fixcentral.
14. In the Directory field, type the directory location on which the web server
stores the updates. The default directory is autoupdates/.
15. Optional: In the Proxy Server field, type the URL for the proxy server. The
proxy server is required if the application server uses a proxy server to
connect to the Internet.
16. Optional: In the Proxy Username field, type the user name for the proxy
server. A user name is required if you are using an authenticated proxy.
17. In the Proxy Password field, type the password for the proxy server. A
password is required if you are using an authenticated proxy.
18. Select the Send Feedback check box if you want to send feedback to IBM
about the update. If errors occur during an update, feedback is automatically
sent by a web form.
19. In the Backup Retention Period list, type or select the number of days that
you want to store files that are replaced during the update process. The files
are stored in the location that is specified in the Backup Location. The
minimum is one day and the maximum is 65535 years.
20. In the Backup Location field, type the location where you want to store
backup files.
21. In the Download Path field, type the directory path location to which you
want to store DSM, minor, and major updates. The default directory path is
/store/configservices/staging/updates.
22. Click Save.

Chapter 5. Set up QRadar Log Manager 57

Scheduling an update
Automatic updates occur on a recurring schedule according to the settings on the
Update Configuration page. You can also schedule an update or a set of updates to
run at a specific time.

About this task

To reduce performance impacts on your system, schedule a large update to run

during off-peak hours.

For detailed information on each update, you can select the update. A description
and any error messages are displayed in the right pane of the window.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. ClickAuto Update.
4. Optional: If you want to schedule specific updates, select the updates that you
want to schedule.
5. From the Schedule list box, select the type of update you want to schedule.
6. Using the calendar, select the start date and time of when you want to start
your scheduled updates.

Clearing scheduled updates

You can cancel any scheduled update.

About this task

Scheduled updates display a status of Scheduled in the Status field. After the
schedule is cleared, the status of the update displays as New.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click Auto Update.
4. On the navigation menu, click Check for Updates.
5. Optional: If you want to clear specific scheduled updates, select the updates
that you want to clear.
6. From the Unschedule list box, select the type of scheduled update that you
want to clear.

Checking for new updates

IBM provides updates on a regular basis. By default, the Auto Update feature is
scheduled to automatically download and install updates. If you require an update
at a time other than the preconfigured schedule, you can download new updates.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click Auto Update.

58 QRadar Log Manager Administration Guide

4. On the navigation menu, click Check for Updates.
5. Click Get new updates.

Manually installing automatic updates

IBM provides updates regularly. By default, updates are automatically downloaded
and installed on your system. However, you can install an update at a time other
than the preconfigured schedule.

About this task

The system retrieves the new updates from Fix Central. This might take an
extended period. When complete, new updates are listed on the Updates window.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click Auto Update.
4. On the navigation menu, click Check for Updates.
5. Optional: If you want to install specific updates, select the updates that you
want to schedule.
6. From the Install list box, select the type of update you want to install.

Viewing your update history

After an update was successfully installed or failed to install, the update is
displayed on the View Update History page.

About this task

A description of the update and any installation error messages are displayed in
the right pane of the View Update History page. The View Update History page
provides the following information:

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click Auto Update.
4. On the navigation menu, click View Update History.
5. Optional: Using the Search by Name text box, you can type a keyword and
then press Enter to locate a specific update by name.
6. To investigate a specific update, select the update.

Restoring hidden updates

You can remove updates from the Check for Updates page. You can view and
restore the hidden updates on the Restore Hidden Updates page.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click Auto Update.
4. On the navigation menu, click Restore Hidden Updates.

Chapter 5. Set up QRadar Log Manager 59

5. Optional: To locate an update by name, type a keyword in the Search by Name
text box and press Enter.
6. Select the hidden update that you want to restore.
7. Click Restore.

Viewing the autoupdate log

The autoupdate log contains the most recent automatic update that was run on
your system.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click Auto Update.
4. On the navigation menu, click View Log.

Set up a QRadar update server

If your deployment includes a QRadar Console that is unable to access the Internet
or you want to manually manage updates to your system, you can set up a
QRadar update server to manage the update process.

The autoupdate package includes all files necessary to manually set up an update
server in addition to the necessary system configuration files for each update. After
the initial setup, you only need to download and uncompress the most current
autoupdate package to manually update your configuration.

You can subscribe to notifications in Fix Central to receive notification of new

updates.
Related concepts:
“Automatic updates” on page 54
You can automatically or manually update your configuration files to ensure that
your configuration files contain the latest network security information.

Configuring your update server

Use this task to configure an Apache server. You must create an update directory
and download the autoupdate package from Fix Central.

About this task

Autoupdates are available in Fix Central.

Procedure
1. Access your Apache server. By default, the update directory is in the web root
directory of the Apache server. You can place the directory in another location
if you configure QRadar accordingly.
2. Create an update directory named autoupdates/.
3. Optional: Create an Apache user account and password to be used by the
update process.
4. Download the autoupdate package from Fix Central: http://www.ibm.com/
support/fixcentral You can find QRadar products in the Security Systems
Product Group list on Fix Central.

60 QRadar Log Manager Administration Guide

5. Save the autoupdate package file on your Apache server in the autoupdates/
directory that you created.
6. On the Apache server, type the following command to uncompress the
autoupdate package.tar -zxf updatepackage-[timestamp].tgz
7. Click the Admin tab.
8. On the navigation menu, click System Configuration.
9. Click Auto Update.
10. Click Change Settings.
11. Select the Advanced tab.
12. To direct the update process to the Apache server, configure the following
parameters in the Server Configuration panel:
a. In Web Serverfield, type the address or directory path of your Apache
server. If the Apache server runs on non-standard ports, add
:<portnumber> to the end of the address. https://qmmunity.q1labs.com/
:8080
b. In the Directory field, type the directory location on which the web server
stores the updates. The default directory is autoupdates/.
c. Optional: In the Proxy Server field, type the URL for the proxy server. The
proxy server is required if the application server uses a proxy server to
connect to the Internet.
d. Optional: In the Proxy Username field, type the user name for the proxy
server. A user name is required if you are using an authenticated proxy.
e. Optional: In the Proxy Password field, type the password for the proxy
server. A password is required if you are using an authenticated proxy.
13. Select Deploy changes.
14. Click Save.
15. Using SSH, log in to QRadar as the root user.
16. Type the following command to configure the user name that you set for your
Apache server: /opt/qradar/bin/UpdateConfs.pl -change_username
<username>
17. Type the following command to configure the password that you set for your
Apache server: /opt/qradar/bin/UpdateConfs.pl -change_password
<password>
18. Test your update server by typing the command:lynx https://<your update
server>/<directory path to updates>/manifest_list
19. Type the user name and password.

Configuring your QRadarConsole as the Update Server

You can configure your QRadar Console to be your update server.

About this task

To configure your QRadar console to be your upgrade server, you complete three
tasks:
v Create an autoupdate directory.
v Download the autoupdate package from Fix Central.
v Configure QRadar to accept the autoupdates.

Procedure
1. Log in to QRadar as the root user.

Chapter 5. Set up QRadar Log Manager 61

2. Type the following command to create the autoupdate directory: mkdir
/opt/qradar/www/autoupdates/
3. Download the autoupdate package from Fix Central: http://www.ibm.com/
support/fixcentral You can find QRadar products in the Security Systems
Product Group list on Fix Central.
4. Save the autoupdate package file on your Apache server in the autoupdates/
directory that you created.
5. On your QRadar Console, type the following command to uncompress the
autoupdate package.tar -zxf updatepackage-[timestamp].tgz
6. Log in to QRadar user interface.
7. On the navigation menu, click System Configuration.
8. Click Auto Update.
9. Click Change Settings.
10. Select the Advanced tab.
11. In Web Serverfield, type https://localhost/.
12. Clear the Send feed check box.

Adding new updates

You can download updates from Fix Central to your update server.

Before you begin

You must configure your update server and set up QRadar to receive updates from
the update server.

Procedure
1. Download the autoupdate package from Fix Central: http://www.ibm.com/
support/fixcentral You can find QRadar products in the Security Systems
Product Group list on Fix Central.
2. Save the autoupdate package file on your update server in the autoupdates/
directory that you created.
3. Type the following command to uncompress the autoupdate package.tar -zxf
updatepackage-[timestamp].tgz
4. Log in to QRadar as the root user.
5. Type the following command to test your update server, lynx https://<your
update server>/<directory path to updates>/manifest_list.
6. Type the user name and password of your update server.

Configuring system settings

You can configure system settings.

About this task

On the System Settings window, you can configure the following parameters:
Table 22. System Settings window parameters
Parameter Description
System Settings

62 QRadar Log Manager Administration Guide

Table 22. System Settings window parameters (continued)
Parameter Description
Administrative Email Address The email address of the designated system
administrator. The default email address is
root@localhost.
Alert Email From Address The email address from which you want to
receive email alerts. This address is
displayed in the From field of the email
alerts. A valid address is required by most
email servers. The default email address is
root@<hostname.domain>.
Resolution Interval Length
The resolution interval length determines at
what interval the Event Collectors send
bundles of information to the Console.

If you select the 30-seconds option, results

display on the QRadar user interface as the
data enters the system. However, with
shorter intervals, the volume of time series
data is larger and the system might
experience delays in processing the
information.
Delete Root Mail Root mail is the default location for host
context messages.
Temporary Files Retention Period The period that you want the system to
retain temporary files. The default storage
location for temporary files is the
/store/tmp directory.
Asset Profile Query Period The period for an asset search to process
before a timeout occurs.
Coalescing Events The coalesce log settings for events. Select
Yes to enable log sources to coalesce, or
bundle, events.

This value applies to all log sources.

However, if you want to alter this value for
a specific log source, edit the Coalescing
Event parameter in the log source
configuration. For more information, see the
Managing Log Sources Guide.
Store Event Payload
Log sources can store event payload
information.

This value applies to all log sources.

However, if you want to alter this value for
a specific log source, edit the Event Payload
parameter in the log source configuration.
For more information, see the Managing Log
Sources Guide users guide.
Global Iptables Access The IP addresses of non-Console systems
that do not have iptables configuration to
which you want to enable direct access. To
enter multiple systems, type a
comma-separated list of IP addresses.

Chapter 5. Set up QRadar Log Manager 63

Table 22. System Settings window parameters (continued)
Parameter Description
Syslog Event Timeout (minutes) The amount of time that the status of a
syslog device is recorded as an error if no
events are received within the timeout
period. The status is displayed on the Log
Sources window.
Partition Tester Timeout (seconds) The amount of time for a partition test to
perform before a timeout occurs.
Max Number of TCP Syslog Connections The maximum number of Transmission
Control Protocol (TCP) syslog connections
you want to allow your system.
Export Directory
The location where event flow exports are
stored. The default location is
/store/exports.
Display Country/Region Flags If geographic information is available for an
IP address, the country or region is visually
indicated by a flag. You can select No from
this list box disable this feature.

Database Settings
User Data Files The location of the user profiles. The default
location is /store/users.
Accumulator Retention - Minute-By-Minute
The period that you want to retain
minute-by-minute data accumulations.

Every 60 seconds, the data is aggregated

into a single data set.
Accumulator Retention - Hourly
The period that you want to retain hourly
data accumulations.

At the end of every hour, the minute-by

minute data sets are aggregated into a single
hourly data set.
Accumulator Retention - Daily
The period that you want to retain daily
data accumulations.

At the end of every day, the hourly data sets

are aggregated into a single daily data set.
Payload Index Retention The amount of time you want to store
payload indexes.

For more information about payload

indexing, see the Enabling Payload Indexing
for Quick Filtering Technical Note.
Ariel Database Settings
Log Source Storage Location The location where you want to store the log
source information. The default location is
/store/ariel/events.
Search Results Retention Period The amount of time you want to store
search results.

64 QRadar Log Manager Administration Guide

Table 22. System Settings window parameters (continued)
Parameter Description
Reporting Max Matched Results The maximum number of results you want a
report to return.
Command Line Max Matched Results The maximum number of results you want
the AQL command line to return.
Web Execution Time Limit The maximum amount of time, in seconds,
you want a query to process before a
timeout occurs.
Reporting Execution Time Limit for The maximum amount of time, in seconds,
Manual Reports you want a reporting query to process
before a timeout occurs.
Command Line Execution Time Limit The maximum amount of time, in seconds,
you want a query in the AQL command line
to process before a timeout occurs.
Web Last Minute (Auto refresh) Execution The maximum amount of time, in seconds,
Time Limit you want an auto refresh to process before a
timeout occurs.
Event Log Hashing Stores a hash file for every stored event log
file. Select Yes to enable logging.
HMAC Encryption
This parameter only displays when the
Event Log Hashing system setting is
enabled.

Select Yes to allow QRadar to encrypt the

integrity hashes on stored event and flow
log files.
HMAC Key The key that you want to use for HMAC
encryption. The key must be unique.

This parameter only displays when the

HMAC Encryption system setting is
enabled.
Verify This parameter only displays when the
HMAC Encryption system setting is
enabled.

Retype the key that you want to use for

HMAC encryption. The key must match the
key that you typed in the HMAC Key field.

Chapter 5. Set up QRadar Log Manager 65

Table 22. System Settings window parameters (continued)
Parameter Description
Hashing Algorithm
You can use a hashing algorithm for
database integrity. QRadar uses the
following hashing algorithm types:
v Message-Digest Hash Algorithm -
Transforms digital signatures into shorter
values called Message-Digests (MD).
v Secure Hash Algorithm (SHA) Hash
Algorithm - Standard algorithm that
creates a larger (60 bit) MD.
v From the list box, select the log hashing
algorithm that you want to use for your
deployment.

If the HMAC Encryption parameter is

disabled, the following options are available:
v MD2 - Algorithm that is defined by RFC
1319.
v MD5 - Algorithm that is defined by RFC
1321.
v SHA-1 - Algorithm that is defined by
Secure Hash Standard (SHS), NIST FIPS
180-1. This is the default setting.
v SHA-256 - Algorithm that is defined by
the draft Federal Information Processing
Standard 180-2, SHS. SHA-256 is a 255-bit
hash algorithm that is intended for 128
bits of security against security attacks.
v SHA-384 - Algorithm that is defined by
the draft Federal Information Processing
Standard 180-2, SHS. SHA-384 is a bit
hash algorithm, created by truncating the
SHA-512 output.
v SHA-512 - Algorithm that is defined by
the draft Federal Information Processing
Standard 180-2, SHS. SHA-512 is a bit
hash algorithm that is intended to provide
256 bits of security.

If the HMAC Encryption parameter is

enabled, the following options are available:
v HMAC-MD5 - An encryption method
that is based on the MD5 hashing
algorithm.
v HMAC-SHA-1 - An encryption method
that is based on the SHA-1 hashing
algorithm.
v HMAC-SHA-256 - An encryption method
that is based on the SHA-256 hashing
algorithm.
v HMAC-SHA-384 - An encryption method
that is based on the SHA-384 hashing
algorithm.
v HMAC-SHA-512 An encryption method
that is based on the SHA-512 hashing
algorithm.
66 QRadar Log Manager Administration Guide
Table 22. System Settings window parameters (continued)
Parameter Description

Transaction Sentry Settings

Transaction Max Time Limit A transaction sentry detects unresponsive
applications using transaction analysis. If an
unresponsive application is detected, the
transaction sentry attempts to return the
application to a functional state.

The length of time you want the system to

check for transactional issues in the
database.
Resolve Transaction on Non-Encrypted The transaction sentry can resolve all error
Host conditions that are detected on the Console
or non-encrypted managed hosts.

If you select No, the conditions are detected

and logged but you must manually
intervene and correct the error.
Resolve Transaction on Encrypted Host The transaction sentry can resolve all error
conditions that are detected on the
encrypted managed host.

If you select No, the conditions are detected

and logged but you must manually
intervene and correct the error.
SNMP Settings
SNMP Version The version of SNMP that you want to use.
Disable this setting if you do not want
SNMP responses in the QRadar custom rules
engine.
SNMPv2c Settings
Destination Host The IP address to which you want to send
SNMP notifications.
Destination Port The port number to which you want to send
SNMP notifications.
Community The SNMP community, such as public.
SNMPv3 Settings
Destination Host The IP address to which you want to send
SNMP notifications.
Destination Port The port to which you want to send SNMP
notifications.
Username The name of the user you want to access
SNMP-related properties.
Security Level The security level for SNMP.
Authentication Protocol The algorithm that you want to use to
authenticate SNMP traps.
Authentication Password The password that you want to use to
authenticate SNMP traps.
Privacy Protocol The protocol that you want to use to decrypt
SNMP traps.

Chapter 5. Set up QRadar Log Manager 67

Table 22. System Settings window parameters (continued)
Parameter Description
Privacy Password The password that is used to decrypt SNMP
traps.
Embedded SNMP Daemon Settings
Enabled Enables access to data from the SNMP Agent
using SNMP requests.

After you enable the embedded SNMP

daemon, you must access the host that is
specified in the Destination Host parameter
and type qradar in the Username field. A
password is not required. The location
where you configure a destination host to
communicate with QRadar SIEM can vary
depending on the vendor host. For more
information on configuring your destination
host to communicate with QRadar, see your
vendor documentation.
Daemon Port The port that you want to use for sending
SNMP requests.
Community String The SNMP community, such as public. This
parameter applies only if you are using
SNMPv2 and SNMPv3.
IP Access List The systems that can access data from the
SNMP agent using an SNMP request. If the
Enabled option is set to Yes, this option is
enforced.
IF-MAP Client/Server Settings
IF-MAP Version
The version of IF-MAP that you require.

The Interface For Metadata Access Points

(IF-MAP) rule response enables IBM Security
QRadar SIEMto publish alert and offense
data derived from events, flows, and offense
data on an IF-MAP server.

If this setting is disabled, the other IF-MAP

Client/Server settings are not displayed.
Server Address The IP address of the IF-MAP server.
Basic Server Port The port number for the basic IF-MAP
server.
Credential Server Port The port number for the credential server. .
Authentication
The type of authentication that you require.

Before you can configure IF-MAP

authentication, you must configure your
IF-MAP server certificate. For more
information on how to configure your
IF-MAP certificate, see “Configuring your
IF-MAP server certificates” on page 70.

68 QRadar Log Manager Administration Guide

Table 22. System Settings window parameters (continued)
Parameter Description
Key Password
The key password to be shared between the
IF-MAP client and server.

This setting is displayed only when you

select the Mutual option for the
Authentication setting.
Username
The user name that is required to access the
IF-MAP server.

This setting is displayed only when you

select the Basic option for the
Authentication setting.
User Password
The password that is required to access the
IF-MAP server.

This setting is displayed only when you

select the Basic option for the
Authentication setting.
Asset Profile Settings

This pane is only displayed if IBM Security QRadar Vulnerability Manager is installed on
your system.
Asset Profile Retention Period
The period, in days, that you want to store
the asset profile information.

The Use Advanced setting enables QRadar

to apply advanced, granular database
retention logic to asset data.

If you want to apply one retention period to

all asset data, you can configure this system
setting.
Enable DNS Lookups for Host Identity
Enables QRadar to run Domain Name
System (DNS) lookups for host identity.
Enable WINS Lookups for Host Identity
Enables QRadar to run Windows Internet
Name Service (WINS) lookups for host
identity.
Asset Profile Reporting Interval The interval, in seconds, that the database
stores new asset profile information.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the System Settings icon.
4. Configure the system settings.
5. Click Save.
6. On the Admin tab menu, select Advanced > Deploy Full Configuration.

Chapter 5. Set up QRadar Log Manager 69

Configuring your IF-MAP server certificates
Before you can configure IF-MAP authentication on the System Settings window,
you must configure your IF-MAP server certificate.

Configuring IF-MAP Server Certificate for Basic Authentication

This task provides instruction for how to configure your IF-MAP certificate for
basic authentication.

Before you begin

Contact your IF-MAP server administrator to obtain a copy of the IF-MAP server
public certificate. The certificate must have the .cert file extension, for example,
ifmapserver.cert.

Procedure
1. Using SSH, log in to QRadar as the root user.
2. Copy the certificate to the /opt/qradar/conf/trusted_certificates directory.

Configuring IF-MAP Server Certificate for Mutual

Authentication
This task provides instruction for how to configure your IF-MAP certificate for
mutual authentication.

Before you begin

Contact your IF-MAP server administrator to obtain a copy of the IF-MAP server
public certificate. The certificate must have the .cert file extension, for example,
ifmapserver.cert.

Mutual authentication requires certificate configuration on your Console and your

IF-MAP server. For assistance configuring the certificate on your IF-MAP server,
contact your IF-MAP server administrator.

Procedure
1. Using SSH, log in to QRadar as the root user.
2. Access the certificate to the /opt/qradar/conf/trusted_certificates directory
3. Copy the SSL intermediate certificate and SSL Verisign root certificate to your
IF-MAP server as CA certificates. For assistance, contact your IF-MAP server
administrator.
4. Type the following command to create the Public-Key Cryptography Standards
file with the .pkcs12 file extension using the following command:openssl
pkcs12 -export -inkey <private_key> -in <certificate> -out
<pkcs12_filename.pkcs12> -name "IFMAP Client"
5. Type the following command to copy the pkcs12 file to the
/opt/qradar/conf/key_certificates directory:cp <pkcs12_filename.pkcs12>
/opt/qradar/conf/key_certificates
6. Create a client on the IF-MAP server with the Certificate authentication and
upload the SSL certificate. For assistance, contact your IF-MAP server
administrator.

70 QRadar Log Manager Administration Guide

7. Change the permissions of the directory by typing the following
commands:chmod 755 /opt/qradar/conf/trusted_certificateschmod 644
/opt/qradar/conf/trusted_certificates/*.cert
8. Type the following command to restart the Tomcat service:service tomcat
restart

Data retention
Configure custom retention periods for specific data.

Retention buckets define retention policies for events that match custom filter
requirements. As QRadar receives events, each event is compared against retention
bucket filter criteria. When an event matches a retention bucket filter, it is stored in
that retention bucket until the retention policy time period is reached. This feature
enables you to configure multiple retention buckets.

Retention buckets are sequenced in priority order from the top row to the bottom
row on the Event Retention window. A record is stored in the bucket that matches
the filter criteria with highest priority. If the record does not match any of your
configured retention buckets, the record is stored in the default retention bucket,
which is always located below the list of configurable retention buckets.

Configuring retention buckets

By default, the Event Retention window provide a default retention bucket and 10
unconfigured retention buckets. Until you configure a retention bucket, all events
are stored in the default retention bucket.

About this task

The Event Retention window provide the following information for each retention
bucket:
Table 23. Retention window parameters
Parameter Description
Order The priority order of the retention buckets.
Name The name of the retention bucket.
Retention The retention period of the retention bucket.
Compression The compression policy of the retention
bucket.
Deletion Policy The deletion policy of the retention bucket.
Filters The filters applied to the retention bucket.
Move your mouse pointer over the Filters
parameter for more information on the
applied filters.
Distribution The retention bucket usage as a percentage
of total data retention in all your retention
buckets.
Enabled Specifies if the retention bucket is enabled
(true) or disabled (false).
Creation Date The date and time the retention bucket was
created.

Chapter 5. Set up QRadar Log Manager 71

Table 23. Retention window parameters (continued)
Parameter Description
Modification Date The date and time the retention bucket was
last modified.

The toolbar provides the following functions:

Table 24. Retention window toolbar
Function Description
Edit Edit a retention bucket.
Enable/Disable Enable or disable a retention bucket. When
you disable a bucket, any new data that
matches the requirements for the disabled
bucket are stored in the next bucket that
matches the properties.
Delete Delete a retention bucket. When you delete a
retention bucket, the data contained in the
retention bucket is not removed from the
system, only the criteria defining the bucket
is deleted. All data is maintained in storage.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click Data Sources .
3. Click the Event Retention or icon.
4. Double-click the first available retention bucket.
5. Configure the following parameters:

Parameter Description
Name Type a unique name for the retention
bucket.
Keep data placed in this bucket for Select a retention period. When the retention
period is reached, data is deleted according
to the Delete data in this bucket parameter.
Allow data in this bucket to be compressed
Select the check box to enable data
compression, and then select a time frame
from the list box. When the time frame is
reached, all data in the retention bucket are
eligible to be compressed. This increases
system performance by guaranteeing that no
data is compressed within the specified time
period. Compression only occurs when used
disk space reaches 83% for payloads and
85% for records.

72 QRadar Log Manager Administration Guide

Parameter Description
Delete data in this bucket
Select a deletion policy.

Select When storage space is required if

you want data that matches the Keep data
placed in this bucket for parameter to remain
in storage until the disk monitoring system
detects that storage is required. If used disk
space reaches 85% for records and 83% for
payloads, data will be deleted. Deletion
continues until the used disk space reaches
82% for records and 81% for payloads.

Select Immediately after the retention

period has expired if you want data to be
deleted immediately on matching the Keep
data placed in this bucket for parameter.
The data is deleted at the next scheduled
disk maintenance process, regardless of free
disk space or compression requirements.

When storage is required, only data that

matches the Keep data placed in this
bucket for parameter are deleted.
Description Type a description for the retention bucket.
Current Filters
Configure your filters.

From the first list, select a parameter you

want to filter for. For example, Device,
Source Port, or Event Name.

From the second list, select the modifier you

want to use for the filter. The list of
modifiers depends on the attribute selected
in the first list.

In the text field, type specific information

related to your filter and then click Add
Filter.

The filters are displayed in the Current

Filters text box. You can select a filter and
click Remove Filter to remove a filter from
the Current Filter text box.

6. Click Save.
7. Click Save again.
Your retention bucket starts storing data that match the retention parameters
immediately.

Managing retention bucket sequence

You can change the order of the retention buckets to ensure that data is being
matched against the retention buckets in the order that matches your requirements.

Chapter 5. Set up QRadar Log Manager 73

About this task

Retention buckets are sequenced in priority order from the top row to the bottom
row on the Event Retention window. A record is stored in the first retention bucket
that matches the record parameters.

You cannot move the default retention bucket. It always resides at the bottom of
the list.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click Data Sources.
3. Click the Event Retention icon.
4. Click the icon.
5. Select and move the required retention bucket to the correct location.

Configuring system notifications

You can configure system performance alerts for thresholds. This section provides
information about configuring your system thresholds.

About this task

The following table describes the Global System Notifications window parameters
Table 25. Global System Notifications window parameters
Parameter Description
System load over 1 minute Type the threshold system load average over
the last minute.
System load over 5 minutes Type the threshold system load average over
the last 5 minutes.
System load over 15 minutes Type the threshold system load average over
the last 15 minutes.
Percentage of swap used Type the threshold percentage of used swap
space.
Received packets per second Type the threshold number of packets
received per second.
Transmitted packets per second Type the threshold number of packets
transmitted per second.
Received bytes per second Type the threshold number of bytes received
per second.
Transmitted bytes per second Type the threshold number of bytes
transmitted per second.
Receive errors Type the threshold number of corrupted
packets received per second.
Transmit errors Type the threshold number of corrupted
packets transmitted per second.
Packet collisions Type the threshold number of collisions that
occur per second while transmitting packets.

74 QRadar Log Manager Administration Guide

Table 25. Global System Notifications window parameters (continued)
Parameter Description
Dropped receive packets Type the threshold number of received
packets that are dropped per second due to
a lack of space in the buffers.
Dropped transmit packets Type the threshold number of transmitted
packets that are dropped per second due to
a lack of space in the buffers.
Transmit carrier errors Type the threshold number of carrier errors
that occur per second while transmitting
packets.
Receive frame errors Type the threshold number of frame
alignment errors that occur per second on
received packets.
Receive fifo overruns Type the threshold number of First In First
Out (FIFO) overrun errors that occur per
second on received packets.
Transmit fifo overruns Type the threshold number of First In First
Out (FIFO) overrun errors that occur per
second on transmitted packets.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the Global System Notifications icon.
4. Enter values for each parameter that you want to configure.
5. For each parameter, select Enabled and Respond if value is and then select
one of the following options:

Option Description
Greater Than An alert occurs if the parameter value
exceeds the configured value.
Less Than An alert occurs if the parameter value is less
than the configured value.

6. Type a description of the preferred resolution to the alert.

7. Click Save.
8. On the tab menu, click Deploy Changes.

Configuring the Console settings

The Console provides real-time views, reports, alerts, and in-depth investigation of
network traffic and security threats. You can configure the Console to manage
distributed QRadar deployments.

Chapter 5. Set up QRadar Log Manager 75

About this task

The following table describes the Console settings:

Table 26. Console settings
Settings Description
Console Settings
ARP - Safe Interfaces Type the interfaces that you want to be
excluded from ARP resolution activities.
Results Per Page
Type the maximum number of results you
want to display on the user interface. This
parameter applies to the Log Activity,
Assets (if available), and Reports tabs. For
example, if the Default Page Size parameter
is configured to 50, the Log Activity tab
displays a maximum of 50 offenses.
Authentication Settings
Persistent Session Timeout (in days) Type the length of time, in days, that a user
system is persisted.
Maximum Login Failures Type the number of times a login attempt
can fail.
Login Failure Attempt Window (in minutes) Type the length of time during which a
maximum number of login failures can
occur before the system is locked.
Login Failure Block Time (in minutes) Type the length of time that the system is
locked if the maximum login failures value
is exceeded.
Login Host Whitelist Type a list of hosts who are exempt from
being locked out of the system. Enter
multiple entries using a comma-separated
list.
Inactivity Timeout (in minutes) Type the amount of time that a user is
automatically logged out of the system if no
activity occurs.
Login Message File
Type the location and name of a file that
includes content you want to display on the
QRadar login window. The contents of the
file are displayed below the current login
window.

The login message file must be located in

the /opt/qradar/conf directory on your
system. This file will be in text format.

76 QRadar Log Manager Administration Guide

Table 26. Console settings (continued)
Settings Description
Event Permission Precedence
From the list box, select the level of network
permissions you want to assign to users.
This parameter affects the events that are
displayed on the Log Activity tab. The
options include:
v Network Only - A user must have access
to either the source network or the
destination network of the event to have
that event display on the Log Activity tab.
v Devices Only - A user must have access
to either the device or device group that
created the event to have that event
display on the Log Activity tab.
v Networks and Devices - A user must
have access to both the source or the
destination network and the device or
device group to have an event display on
the Log Activity tab.
v None - All events are displayed on the
Log Activity tab. Any user with Log
Activity role permissions is able to view
all events.

For more information about managing users,

see Chapter 2, “User management,” on page
5.
DNS Settings
Enable DNS Lookups for Asset Profiles From the list box, select whether you want
to enable or disable the ability for QRadar to
search for DNS information in asset profiles.
When enabled, this information is available
in the right-click menu for the IP address or
host name that is located in the Host Name
(DNS Name) field in the asset profile.
Enable DNS Lookups for Host Identity From the list box, select whether you want
to enable or disable the ability for QRadar to
search for host identity information. When
enabled, this information is available in the
right-click menu for any IP address or asset
name.
WINS Settings
WINS Server Type the location of the Windows Internet
Naming Server (WINS) server.
Reporting Settings
Report Retention Period Type the period, in days, that you want the
system to maintain reports.
Data Export Settings
Include Header in CSV Exports From the list box, select whether you want
to include a header in a CSV export file.
Maximum Simultaneous Exports Type the maximum number of exports you
want to occur at one time.

Chapter 5. Set up QRadar Log Manager 77

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the Console icon.
4. Enter values for the parameters.
5. Click Save.
6. On the Admin tab menu, click Deploy Changes.

Index management
The Index Management feature allows you to control database indexing on event
properties.

Indexing event properties allows you to optimize your searches. You can enable
indexing on any property that is listed in the Index Management window and you
can enable indexing on more than one property.

The Index Management feature also provides statistics, such as:

v The percentage of saved searches running in your deployment that include the
indexed property
v The volume of data that is written to the disk by the index during the selected
time frame

To enable payload indexing, you must enable indexing on the Quick Filter
property. For more information on payload indexing, see the Enable Payload
Indexing for Quick Filtering Technical Note.

Enabling indexes
The Index Management window lists all event properties that can be indexed and
provides statistics for the properties. Toolbar options allow you to enable and
disable indexing on selected event properties.

About this task

Modifying database indexing might decrease system performance, therefore, we

recommend that you monitor the statistics after enabling indexing on multiple
properties.

The Index Management window provides the following parameters.

Table 27. Index Management window parameters
Parameter Description
Display Displays the time range used to calculate the
statistics for each property. From the list box,
you can select a new time range.

After you select a new time range option,

the statistics are refreshed.
View Allows you to display properties filtered on
the Indexed parameter.

78 QRadar Log Manager Administration Guide

Table 27. Index Management window parameters (continued)
Parameter Description
Database Allows you to display properties filtered on
the Database parameter.
Show Allows you to display all properties or only
custom properties. Options include:
v All - Displays all properties in the Index
Management list.
v Custom - Displays only custom event
properties.

Custom properties are properties that you

can create by extracting from unnormalized
data using RegEx statements or calculated
properties that are created by performing
operations on existing properties. For more
information on custom properties, see the
IBM Security QRadar SIEM Users Guide .
Indexed Indicates whether the property is indexed or
not:
Property Displays the name of the property.
% of Searches Using Property Displays the percentage of searches that
include this property that have performed in
the specified time range.
% of Searches Hitting Index Displays the percentage of searches that
include this property that have performed in
the specified time range and successfully
used the index.
% of Searches Missing Index Displays the percentage of searches that
include this property that have performed in
the specified time range and did not use the
index.
Data Written Displays the volume of data written to the
disk by the index in the time range specified
in the Display list box.
Database Displays the name of the database the
property is stored in. Databases include:

The Index Management toolbar provides the following options:

Table 28. Index Management window parameters
Option Description
Enable Index Select one or more properties in the Index
Management list, and then click this icon to
enable indexing on the selected parameters.
Disable Index Select one or more properties in the Index
Management list, and then click this icon to
disable indexing on the selected parameters.
Quick Search Type your keyword in the Quick Search field
and click the Quick Filter icon or press Enter
on the keyboard. All properties that match
your keyword are displayed in the Index
Management list.

Chapter 5. Set up QRadar Log Manager 79

Click the Admin tab.

Procedure
1. On the navigation menu, click System Configuration .
2. Click the Index Management icon.
3. Select one or more properties from the Index Management list.
4. Choose one of the following options:
v Click Enable Index.
v Click Disable Index.
5. Click Save .
6. Click OK .

Results

In lists that include event properties, indexed property names are appended with
the following text: [Indexed] . Examples of such lists include the search parameters
on the Log Activity tab search criteria pages and the Add Filter window.

80 QRadar Log Manager Administration Guide

Chapter 6. Reference sets management
Using the Reference Set Management window, you can create and manage
reference sets. You can also import elements into a reference set from an external
file.

A reference set is a set of elements that are derived from events that occur on your
network. Examples of elements that are derived from events are IP addresses or
user names.

After you create a reference set, you can create rules to detect log activity that is
associated with the reference set. For example, you can create a rule to detect when
an unauthorized user attempts to access your network resources. You can also
configure a rule to add an element to a reference set when log activity matches the
rule conditions. For example, you can create a rule to detect when an employee
accesses a prohibited website and add that employee's IP address to a reference
set. For more information on configuring rules, see the Users Guide for your
product.

Adding a reference set

From the Admin tab, you can add a reference set that you can include in rule tests.

About this task

After you create a reference set, the reference set is listed on the Reference Set
Management window. In the Rule wizard, this reference set is listed as an option
on the Rule Response page. After you configure one or more rules to send
elements to this reference set, the Number of Elements, Associated Rules, and
Capacity parameters are automatically updated.

Procedure
1. On the Reference Set Management window, click New.
2. Configure the parameters:
Table 29. Reference Set parameters
Parameter Description
Name A unique name for this reference set.
Type You cannot edit the Type parameter after
you create a reference set.
Time to Live of Elements The amount of time that you want to
maintain each element in the reference set.

If you specify an amount of time, you must

also indicate when you want to start
tracking time for an element.

3. Click Create.

Deleting reference sets

You can delete a reference set from the Reference Set Management window.

© Copyright IBM Corp. 2007, 2013 81

About this task

When you delete reference sets, a confirmation window indicates whether the
reference sets that you want to delete have rules that are associated with them.
After you delete a reference set, the Add to Reference Set configuration is cleared
from the associated rules.

Tip: Before you delete a reference set, you can view associated rules in the
Reference tab.

Procedure

Choose one of the following options:

v On the Reference Set Management window, select a reference set, and then click
Delete.
v On the Reference Set Management window, use the Quick Search text box to
display only the reference sets that you want to delete, and then click Delete
Listed.

Viewing the contents of a reference set

The Content tab provides a list of the elements that are included in this reference
set.

Procedure
1. On the Reference Set Management window, select a reference set.
2. Click View Contents.
3. To view contents, click the Content tab.

Tip: Use the Quick Search field to filter for specific elements. All elements that
match the keyword are listed in the Content list. Then, you can select the
action from the toolbar.
Table 30. Content tab parameters
Parameter Description
Value The value of the element.

For example, if the reference contains a list

of IP addresses, the value is the IP address.
Origin The rulename is placed in the reference set
as a response to a rule.

The User is imported from an external file

or manually added to the reference set.
Time to Live The time that is remaining until this element
is removed from the reference set.
Date Last Seen The date and time that this element was last
detected on your network.

4. Click the References tab and view the references.

Tip: Use the Quick Search field to filter for specific elements. All elements that
match the keyword are listed in the Content list. Then, you can select the
action from the toolbar.

82 QRadar Log Manager Administration Guide

Table 31. Content tab parameters
Parameter Description
Rule Name The name of this rule.
Group The name of the group this rule belongs to.
Category The category of the rule. Options include
Custom Rule or Anomaly Detection Rule.
Type The type of this rule.
Enabled Indicates whether the rule is enabled or
disabled.
Response The responses that are configured for this
rule.
Origin System indicates a default rule.

Modified indicates that a default rule was

customized.

User indicates a user-created rule.

5. To view or edit an associated rule, double-click the rule in the References list.
In the Rule wizard, you can edit the rule configuration settings.

Adding an element to a reference set

You add an element to a reference set by using the Reference Set Management
window.

Procedure
1. On the Reference Set Management window, select a reference set.
2. Click View Contents.
3. Click the Content tab.
4. On the toolbar, click New.
5. Configure the following parameters:

Parameter Description
Value(s) If you want to type multiple values, include
a separator character between each value,
and then specify the separator character in
the Separator Character field.
Separator Character Type the separator character that you used
in the Value(s) field.

6. Click Add.

Deleting elements from a reference set

You can delete elements from a reference set.

Procedure
1. On the Reference Set Management window, select a reference set.
2. Click View Contents.
3. Click the Content tab.

Chapter 6. Reference sets management 83

4. Choose one of the following options:
v Select an element, and then click Delete.
v Use the Quick Search text box to display only the elements that you want to
delete, and then click Delete Listed.
5. Click Delete.

Importing elements into a reference set

You can import elements from an external CSV or text file.

Before you begin

Ensure that the CSV or text file that you want to import is stored on your local
desktop.

Procedure
1. On the Reference Set Management window, select a reference set.
2. Click View Contents.
3. Click the Content tab.
4. On the toolbar, click Import.
5. Click Browse.
6. Select the CSV or text file that you want to import.
7. Click Import.

Exporting elements from a reference set

You can export reference set elements to an external CSV or text file.

Procedure
1. On the Reference Set Management window, select a reference set.
2. Click View Contents.
3. Click the Content tab.
4. On the toolbar, click Export.
5. Choose one of the following options:
6. If you want to open the list for immediate viewing, select the Open with
option and select an application from the list box.
7. If you want to save the list, select the Save File option.
8. Click OK.

84 QRadar Log Manager Administration Guide

Chapter 7. Reference data collections
Use the ReferenceDataUtil.sh utility to make complex reference data collections.
Use reference data collections to store, retrieve, and test complex data structures.

You can create the following reference data collection types:

Reference map
Data is stored in records that map a key to a value. For example, to
correlate user activity on your network, you can create a reference map
that uses the Username parameter as a key and the user’s Global ID as a
value.
Reference map of sets
Data is stored in records that map a key to multiple values. For example,
to test for authorized access to a patent, use a custom event property for
Patent ID as the key and the Username parameter as the value. Use a map
of sets to populate a list of authorized users.
Reference map of maps
Data is stored in records that map one key to another key, which is then
mapped to single value. For example, to test for network bandwidth
violations, you can create a map of maps. Use the Source IP parameter as
the first key, the Application parameter as the second key, and the Total
Bytes parameter as the value.
Reference table
In a reference table, data is stored in a table that maps one key to another
key, which is then mapped to single value. The second key has a assigned
type. This mapping is similar to a database table where each column in the
table is associated with a type.

CSV file requirements for reference data collections

If you plan to import an external file containing data elements into a reference data
collection, ensure that the file is in Comma Separated Value (CSV) format. Also,
ensure that you copied the CSV file to your system.

The CSV file must follow the format in the examples reference data collections. The
# symbol in the first column indicates a comment line. The first non-comment line
is the column header and identifies the column name (ie., key1, key2, data). Then
each non-commented line that follows is a data record that is added to the map.
Keys are alphanumeric strings.

Example 1: Reference map

#
#
# ReferenceMap
#
key1,data
key1,value1
key2,value2

© Copyright IBM Corp. 2007, 2013 85

Example 2: Reference map of sets
#
#
# ReferenceMapOfSets
#
key1,data
key1,value1
key1,value2

Example 3: Reference map of maps

#
#
# ReferenceMapOfMaps
#
key1,key2,data
map1,key1,value1
map1,key2,value2

Example 3: Reference table

#
#
# ReferenceTable
#
key1,key2,type,data
map1,key1,type1,value1
map1,key2,type 1,value2

Creating a reference data collection

Use the ReferenceDataUtil.sh utility to create a reference data collection.

Procedure
1. Using SSH, log in to QRadar as the root user.
2. Go to the /opt/qradar/bin directory.
3. To create the reference data collection, type the following command:
./ReferenceDataUtil.sh create name count [MAP | MAPOFSETS | MAPOFMAPS |
REFTABLE] [ALN | NUM | IP | PORT | ALNIC | DATE] [TIMEOUT_TYPE]
[TIMETOLIVE]
4. To populate the map with data from an external file, type the following
command:
./ReferenceDataUtil.sh load name filename [-encoding=...] [-sdf=" ... "]

What to do next

Log in to the user interface to create rules that add data to your reference data
collections. You can also create rule tests that detect activity from elements that are
in your reference data collection. For more information about creating rules and
rule tests, see the Users Guide for your product.

ReferenceDataUtil.sh command reference

You can manage your reference data collections using the ReferenceDataUtil.sh
utility.

create
Creates a reference data collection.

86 QRadar Log Manager Administration Guide

name
The name of the reference data collection.
[MAP | MAPOFSETS | MAPOFMAPS | REFTABLE]
The type of reference data collection.
[ALN | ALNIC | NUM | IP | PORT | DATE]
The type of data in the reference set:
v ALN specifies a reference data collection of alphanumeric values. This data
type supports IPv4 and IPv6 addresses.
v ALNIC specifies a reference data collection of alphanumeric values but tests
ignore the case. This data type supports IPv4 and IPv6 addresses.
v NUM specifies a reference data collection of numeric values.
v IP specifies a reference data collection of IP addresses. This data type
supports only IPv4 address.
v PORT specifies a reference data collection of PORT addresses.
v DATE specifies a reference data collection of DATE values.
[-TIMEOUTTYPE=[FIRST_SEEN | LAST_SEEN]]
Specifies whether the amount of time the data elements remain in the reference
data collection is from the time the element was first seen or last seen.
[-TimeToLive='']
The amount of time the data elements remain in the reference data collection.
[-keyType=name:elementType,name:elementType,...]
A mandatory REFTABLE parameter of consisting of key name to ELEMENTTYPE
pairs.
[-key1Label='']
An optional label for key1.
[-valueLabel='']
An optional label for the values of the collection.

update
Updates a reference data collection.
name
The name of the reference data collection.
[-TIMEOUTTYPE=[FIRST_SEEN | LAST_SEEN]]
Specifies whether the amount of time the data elements remain in the reference
data collection is from the time the element was first seen or last seen.
[-timeToLive='']
The amount of time the data elements remain in the reference data collection.
[-keyType=name:elementType,name:elementType,...]
A mandatory REFTABLE parameter of consisting of key name to elementType
pairs.
[-key1Label='']
An optional label for key1.
[-valueLabel='']
An optional label for the values of the collection.

add
Adds a data element to a reference data collection

Chapter 7. Reference data collections 87

name
The name of the reference data collection.
<value> <key1> [key2]
The key value pair that you want to add. MAP and MAPOFSETS require Key
1. MAPOFMAPS and REFTABLE require Key 1 and Key 2. Keys are
alphanumeric strings.
[-sdf=" ... "]
The Simple Date Format string that is used to parse the date data.

delete
Deletes an element from a reference data collection.
name
The name of the reference data collection.
<value> <key1> [key2]
The key value pair that you want to delete. MAP and MAPOFSETS require
Key 1. MAPOFMAPS and REFTABLE require Key 1 and Key 2. Keys are
alphanumeric strings.
[-sdf=" ... "]
The Simple Date Format string that is used to parse the date data.

remove
Removes a reference data collection.
name
The name of the reference data collection.

purge
Purges all elements from a reference data collection.
name
The name of the reference data collection.

list
Lists elements in a reference data collection.
name
The name of the reference data collection.
[displayContents]
Lists all elements in the specified reference data collection.

listall
Lists all elements in all reference data collection.
[displayContents]
Lists all elements in all reference data collections.

load
Populates a reference data collections with data from an external CSV file.
name
The name of the reference data collection.

88 QRadar Log Manager Administration Guide

filename
The fully qualified file name to be loaded. Each line in the file represents a
record to be added to the reference data collection.
[-encoding=...]
Encoding that is used to read the file.
[-sdf=" ... "]
The Simple Date Format string that is used to parse the date data.

Chapter 7. Reference data collections 89

90 QRadar Log Manager Administration Guide
Chapter 8. Manage backup and recovery
You can back up and recover QRadar configuration information and data.

You can use the backup and recovery feature to back up your event data; however,
you must restore event data manually. For assistance in restoring your event data,
see the Restoring Your Data Technical Note.

By default, QRadar creates a backup archive of your configuration information

daily at midnight. The backup archive includes configuration information, data, or
both from the previous day.

You can use two types of backups; configuration backups and data backups.

Configuration backups include the following components:

v Assets
v Certificates
v Custom logos
v Custom rules
v Device Support Modules (DSMs)
v Event categories
v Groups
v Index management information
v License key information
v Log sources
v Store and Forward schedules
v User and user roles information
v Vulnerability data (if QRadar Vulnerability Manager is installed)

Data backups include the following information:

v Audit log information
v Event data
v Report data
v Indexes
v Reference set elements

Viewing backup archives

Use the Backup Archives window to view a list of your backup archives.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click Backup and Recovery.

© Copyright IBM Corp. 2007, 2013 91

Importing a backup archive
Importing a backup archive is useful if you want to restore a backup archive that
was created on another QRadar host.

About this task

If you place a QRadar backup archive file in the /store/backupHost/inbound

directory on the Console server, the backup archive file is automatically imported.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the Backup and Recovery icon.
4. In the Upload Archive field, click Browse.
5. Locate and select the archive file that you want to upload. The archive file must
include a .tgz extension.
6. Click Open.
7. Click Upload.

Deleting a backup archive

To delete a backup archive file, the backup archive file and the Host Context
component must be located on the same system. The system must also be in
communication with the Console and no other backup can be in progress.

About this task

If a backup file is deleted, it is removed from the disk and from the database. Also,
the entry is removed from this list and an audit event is generated to indicate the
removal.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click Backup and Recovery.
4. In the Existing Backups section, select the archive that you want to delete.
5. Click Delete.

Backup archive creation

By default, QRadar creates a backup archive of your configuration information
daily at midnight. The backup archive includes your configuration information,
data, or both from the previous day. You can customize this nightly backup and
create an on-demand configuration backup, as required.

Scheduling nightly backup

Use the Backup Recovery Configuration window to configure a night scheduled
backup process.

92 QRadar Log Manager Administration Guide

About this task

By default, the nightly backup process includes only your configuration files. You
can customize your nightly backup process to include data from your Console and
selected managed hosts. You can also customize your backup retention period,
backup archive location, the time limit for a backup to process before timing out,
and the backup priority in relation to other QRadar processes.

The Backup Recovery Configuration window provides the following parameters:

Table 32. Backup Recovery Configuration parameters
Parameter Description
General Backup Configuration
Backup Repository Path
Type the location where you want to store
your backup file. The default location is
/store/backup. This path must exist before
the backup process is initiated. If this path
does not exist, the backup process aborts.

If you modify this path, make sure the new

path is valid on every system in your
deployment.
v Active data is stored on the /store
directory. If you have both active data and
backup archives stored in the same
directory, data storage capacity might
easily be reached and your scheduled
backups might fail. We recommend you
specify a storage location on another
system or copy your backup archives to
another system after the backup process is
complete. You can use a Network File
System (NFS) storage solution in your
QRadar deployment. For more
information on using NFS, see the
Offboard Storage Guide.
Backup Retention Period (days) Type or select the length of time, in days,
that you want to store backup files. The
default is 2 days.

This period of time only affects backup files

generated as a result of a scheduled process.
On-demand backups or imported backup
files are not affected by this value.
Nightly Backup Schedule Select a backup option.

Chapter 8. Manage backup and recovery 93

Table 32. Backup Recovery Configuration parameters (continued)
Parameter Description
Select the managed hosts you would like to This option is only displayed if you select
run data backups: the Configuration and Data Backups
option.

All hosts in your deployment are listed. The

first host in the list is your Console; it is
enabled for data backup by default,
therefore no check box is displayed. If you
have managed hosts in your deployment,
the managed hosts are listed below the
Console and each managed host includes a
check box.

Select the check box for the managed hosts

you want to run data backups on.

For each host (Console or managed hosts),

you can optionally clear the data items you
want to exclude from the backup archive.
Configuration Only Backup
Backup Time Limit (min) Type or select the length of time, in minutes,
that you want to allow the backup to run.
The default is 180 minutes. If the backup
process exceeds the configured time limit,
the backup process is automatically
canceled.
Backup Priority
From this list box, select the level of
importance that you want the system to
place on the configuration backup process
compared to other processes.

A priority of medium or high have a greater

impact on system performance.
Data Backup
Backup Time Limit (min) Type or select the length of time, in minutes,
that you want to allow the backup to run.
The default is 1020 minutes. If the backup
process exceeds the configured time limit,
the backup is automatically canceled.
Backup Priority
From the list, select the level of importance
you want the system to place on the data
backup process compared to other processes.

A priority of medium or high have a greater

impact on system performance.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the Backup and Recovery.
4. On the toolbar, click Configure.

94 QRadar Log Manager Administration Guide

5. On the Backup Recovery Configuration window, customize your nightly
backup.
6. Click Save.
7. Close the Backup Archives window.
8. On the Admin tab menu, click Deploy Changes.

Creating an on-demand configuration backup archive

If you must back up your configuration files at a time other than your nightly
scheduled backup, you can create an on-demand backup archive. On-demand
backup archives include only configuration information.

About this task

You initiate an on-demand backup archive during a period when QRadar has low
processing load, such as after normal office hours. During the backup process,
system performance is affected.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click Backup and Recovery.
4. From the toolbar, click On Demand Backup.
5. Enter values for the following parameters:

Option Description
Name Type a unique name that you want to assign
to this backup archive. The name can be up
to 100 alphanumeric characters in length.
The name can contain following characters:
underscore (_), dash (-), or period (.).
Description Type a description for this configuration
backup archive. The description can be up to
255 characters in length.

6. Click Run Backup.

You can start a new backup or restore processes only after the on-demand
backup is complete. You can monitor the backup archive process in the Backup
Archives window. See “Viewing backup archives” on page 91.

Backup archive restoration

Restoring a backup archive is useful if you want to restore previously archived
configuration files, asset data, and offense data on yourQRadar system.

Before you restore a backup archive, note the following considerations:

v You can only restore a backup archive created within the same release of
software, including the patch level. For example, if you are running IBM
Security QRadar 7.1.0 (MR2), the backup archive must have been created in IBM
Security QRadar.
v The restore process only restores your configuration information, asset data, and
offense data. For assistance in restoring your event or flow data, see the
Restoring Your Data Technical Note .

Chapter 8. Manage backup and recovery 95

v If the backup archive originated on a NATed Console system, you can only
restore that backup archive on a NATed system.

During the restore process, the following steps are taken on the Console:
1. Existing files and database tables are backed up.
2. Tomcat is shut down.
3. All system processes are shut down.
4. Files are extracted from the backup archive and restored to disk.
5. Database tables are restored.
6. All system processes are restarted.
7. Tomcat restarts.

Restoring a backup archive

You can restore a backup archive. Restoring a backup archive is useful if you have
a system hardware failure or you want to store a backup archive on a replacement
appliance.

About this task

You can restart the Console only after the restore process is complete.

The restore process can take up to several hours; the process time depends on the
size of the backup archive that must be restored. When complete, a confirmation
message is displayed.

A window provides the status of the restore process. This window provides any
errors for each host and instructions for resolving the errors.

The following parameters are available in the Restore a Backup window:

Table 33. Restore a Backup parameters
Parameter Description
Name The name of the backup archive.
Description The description, if any, of the backup
archive.
Type The type of backup. Only configuration
backups can be restored, therefore, this
parameter displays config.
Select All Configuration Items When selected, this option indicates that all
configuration items are included in the
restoration of the backup archive.
Restore Configuration Lists the configuration items to include in
the restoration of the backup archive. To
remove items, you can clear the check boxes
for each item you want to remove or clear
the Select All Configuration Items check
box.
Select All Data Items When selected, this option indicates that all
data items are included in the restoration of
the backup archive.

96 QRadar Log Manager Administration Guide

Table 33. Restore a Backup parameters (continued)
Parameter Description
Restore Data Lists the configuration items to include in
the restoration of the backup archive. All
items are cleared by default. To restore data
items, you can select the check boxes for
each item you want to restore.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the Backup and Recovery.
4. Select the archive that you want to restore.
5. Click Restore.
6. On the Restore a Backup window, configure the parameters.
7. Click Restore.
8. Click OK.
9. Click OK.
10. Choose one of the following options:
v If the user interface was closed during the restore process, open a web
browser and log in to QRadar.
v If the user interface was not closed, the login window is displayed. Log in
to QRadar.
11. Follow the instructions on the status window.

What to do next

After you verify that your data is restored to your system, you must reapply RPMs
for any DSMs, vulnerability assessment (VA) scanners, or log source protocols.

If the backup archive originated on an HA cluster, you must click Deploy Changes
to restore the HA cluster configuration after the restore is complete. If disk
replication is enabled, the secondary host immediately synchronizes data after the
system is restored. If the secondary host was removed from the deployment after a
backup, the secondary host displays a failed status on the System and License
Management window.

Restoring a backup archive created on a different QRadar

system
Each backup archive includes the IP address information of the system from which
the backup archive was created. When you restore a backup archive from a
different QRadar system, the IP address of the backup archive and the system that
you are restoring are mismatched. You can correct the mismatched IP addresses.

About this task

You can restart the Console only after the restore process is complete.

The restore process can take up to several hours; the process time depends on the
size of the backup archive that must be restored. When complete, a confirmation
message is displayed.
Chapter 8. Manage backup and recovery 97
A window provides the status of the restore process. This window provides any
errors for each host and instructions for resolving the errors.

You must stop the iptables service on each managed host in your deployment. The
Iptables service is a Linux based firewall.

The Restore a Backup (Managed Hosts Accessibility) window provides the

following information.
Table 34. Restore a Backup (Managed Host Accessibility) parameters
Parameter Description
Host Name The managed host name.
IP Address The IP address of the managed host.
Access Status The access status to the managed host.

The Restore a Backup window provides the following parameters:

Table 35. Restore a Backup parameters
Parameter Description
Name The name of the backup archive.
Description The description, if any, of the backup
archive.
Type The type of backup. Only configuration
backups can be restored, therefore, this
parameter displaysconfig.
Select All Configuration Items When selected, this option indicates that all
configuration items are included in the
restoration of the backup archive. This check
box is selected by default. To clear all
configuration items, clear the check box.
Restore Configuration Lists the configuration items to include in
the restoration of the backup archive. All
items are selected by default. To remove
items, you can clear the check boxes for each
item you want to remove or clear the Select
All Configuration Items check box.
Select All Data Items When selected, this option indicates that all
data items are included in the restoration of
the backup archive. This check box is
selected by default. To clear all data items,
clear this check box.
Restore Data Lists the configuration items to include in
the restoration of the backup archive. All
items are cleared by default. To restore data
items, you can select the check boxes for
each item you want to restore.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the Backup and Recovery.
4. Select the archive that you want to restore.

98 QRadar Log Manager Administration Guide

5. Click Restore.
6. On the Restore a Backup window, configure the parameters.
7. Click Restore.
8. Stop the IP tables:
a. Using SSH, log in to the managed host as the root user.
b. Type the command, service iptables stop.
c. Repeat for all managed hosts in your deployment.
9. On the Restore a Backup window, click Test Hosts Access.
10. After testing is complete for all managed hosts, verify that the status in the
Access Status column indicates a status of OK.
11. If the Access Status column indicates a status of No Access for a host, stop
iptables again, and then click Test Host Access again to attempt a connection.
12. On the Restore a Backup window, configure the parameters.
13. Click Restore.
14. Click OK.
15. Click OK to log in.
16. Choose one of the following options:
v If the user interface was closed during the restore process, open a web
browser and log in to QRadar.
v If the user interface was not closed, the login window is displayed. Log in
to QRadar.
17. View the results of the restore process and follow the instructions to resolve
any errors.
18. Refresh your web browser window.
19. From the Admin tab, select Advanced Deploy Full Configuration.

What to do next

After you verify that your data is restored to your system, you must reapply RPMs
for any DSMs, vulnerability assessment (VA) scanners, or log source protocols.

Restoring data
You can restore the data on your QRadar Console and managed hosts from backup
files. The data portion of the backup files includes information about all offenses,
including source and destination IP address information, asset data, event category
information, vulnerability data, event data, and flow data.

Each managed host in your deployment, including the QRadar Console, creates all
backup files in the /store/backup/ directory. Your system might include a
/store/backup mount from an external SAN or NAS service. External services
provide long term, offline retention of data, which is commonly required for
compliancy regulations, such as PCI.

Chapter 8. Manage backup and recovery 99

Restriction: You must restore the configuration backup before you restore the data
backup.

Before you begin

Ensure that the following conditions are met:

v If you are restoring data on a new QRadar Console, the configuration backup is
restored.
v You know the location of the managed host where the data is backed up.
v If your deployment includes a separate mount point for that volume, the /store
or /store/ariel directory has sufficient space for the data that you want to
recover.
v You know the date and time for the data that you want to recover.

Procedure
1. Using SSH, log in to QRadar SIEM as the root user.
2. Go to the /store/backup directory.
3. To list the backup files, type ls -l
4. If backup files are listed, go to the root directory by typing cd /

Important: The restored files must be in the /store directory. If you type cd
instead of cd /, the files are restored to the /root/store directory.
5. To extract the backup files to their original directory, type the following
command:
tar -zxpvPf /store/backup/backup.<name>.<hostname_hostID>
.<target date>.<backup type>.<timestamp>.tgz
Table 36. Description of file name variables
File name variable Description
hostname_hostID The name of the QRadar system that hosts the backup
file followed by the identifier for the QRadar system
target date The date that the backup file was created. The format
of the target date is <day>_<month>_<year>
backup type The options are data or config
timestamp The time that the backup file was created.

Results

Daily backup of data captures all data on each host. If you want to restore data on
a managed host that contains only event or flow data, only that data is restored to
that host.

Verifying restored data

Verify that your data is restored correctly in IBM Security QRadar.

Procedure
1. To verify that the files are restored, review the contents of one of the restored
directories by typing the following command:
cd /store/ariel/flows/payloads/<yyyy/mm/dd>

100 QRadar Log Manager Administration Guide

You can view the restored directories that are created for each hour of the day.
If directories are missing, data might not be captured for that time period.
2. Verify that the restored data is available.
a. Log in to the QRadar interface.
b. Click the Log Activity or Network Activity tab.
c. Select Edit Search from the Search list on the toolbar.
d. In the Time Range pane of the Search window, select Specific Interval.
e. Select the time range of the data you restored and then click Filter.
f. View the results to verify the restored data.
g. If your restored data is not available in the QRadar interface, verify that
data is restored in the correct location and file permissions are correctly
configured.
Restored files must be in the /store directory. If you typed cd instead of
cd / when you extracted the restored files, check the /root/store directory
for the restored files. If you did not change directories before you extracted
the restored files, check the /store/backup/store directory for the restored
files.
Typically, files are restored with the original permissions. However, if the
files are owned by the root user account, issues might occur. If the files are
owned by the root user account, change the permissions by using the chown
and chmod commands.

What to do next

After you verified that your data is restored, you must reapply RPMs for any
DSMs, vulnerability assessment (VA) scanners, and log source protocols.

Chapter 8. Manage backup and recovery 101

102 QRadar Log Manager Administration Guide
Chapter 9. Deployment editor
Use the deployment editor to manage the individual components of your QRadar.
After you configure your deployment, you can access and configure the individual
components of each managed host in your deployment.

Deployment editor requirements

Before you can use the deployment editor, ensure that it meets the minimum
system requirements.

The deployment editor requires Java™ Runtime Environment (JRE). You can
download Java 1.6 or 1.7 from the Java website (www.java.com). If you are using
the Mozilla Firefox web browser, you must configure your browser to accept Java
Network Language Protocol (JNLP) files.

Many web browsers that use the Microsoft Internet Explorer engine, such as
Maxthon, install components that might be incompatible with the Admin tab. You
might be required to disable any web browsers that are installed on your system.

To access the deployment editor from behind a proxy server or firewall, you must
configure the appropriate proxy settings on your desktop. The s software can then
automatically detect the proxy settings from your browser.

To configure the proxy settings, open the Java configuration in your Control Pane
and configure the IP address of your proxy server. For more information, see the
Microsoft documentation.

Deployment editor views

The deployment editor provides the different views of your deployment.

You can access the deployment editor by using the Admin tab. You can use the
deployment editor to create your deployment, assign connections, and configure
each component.

After you update your configuration settings by using the deployment editor, you
must save those changes to the staging area. You must manually deploy all
changes by using the Admin tab menu option. All deployed changes are then
enforced throughout your deployment.

The deployment editor provides the following views:

System View

Use the System View page to assign software component to managed hosts in your
deployment. The System View page includes all managed hosts in your
deployment. A managed host is a system in your deployment that has QRadar
software that is installed.

By default, the System View page also includes the following components:

© Copyright IBM Corp. 2007, 2013 103

v Host Context, which monitors all QRadar components to ensure that each
component is operating as expected.
v Accumulator, which analyzes events, reporting, writing database data, and
alerting a device system module (DSM).
An accumulator is on any host that contains an Event Processor.

On the System View page, the left pane provides a list of managed hosts, which
you can view and configure. The deployment editor polls your deployment for
updates to managed hosts. If the deployment editor detects a change to a managed
host in your deployment, a message is displayed notifying you of the change. For
example, if you remove a managed host, a message is displayed, indicating that
the assigned components to that host must be reassigned to another host.

Also, if you add a managed host to your deployment, the deployment editor
displays a message that indicates that the managed host was added.

Event View

Use the Event View page to create a view of your components:

v Event Processors
v Event Collectors
v Off-site Sources
v Off-site Targets
v Magistrate components

On the Event View page, the left pane provides a list of components you can add
to the view. The right pane provides a view of your deployment.

Vulnerability View

This view is only available if IBM Security QRadar Vulnerability Manager is

installed on your system.

Use the Vulnerability View page to create a view of your IBM Security QRadar
Vulnerability Manager components. You must install IBM Security QRadar
Vulnerability Manager to see this view. For more information, see the IBM Security
QRadar Vulnerability Manager User Guide

Configuring deployment editor preferences

You can configure the deployment editor preferences to modify the zoom
increments and the presence poll frequency.

Procedure
1. Select File > Edit Preferences.
2. To configure the Presence Poll Frequencyparameter, type how often, in
milliseconds, you that want the managed host to monitor your deployment for
updates.
3. To configure the Zoom Incrementparameter, type the increment value when the
zoom option is selected.
For example, 0.1 indicates 10%.

104 QRadar Log Manager Administration Guide

Building your deployment
Use the deployment editor and options on the Admin tab to build and deploy
your deployment.

Before you begin

Ensure that the following conditions are met:

v Install the Java Runtime Environment (JRE). You can download Java 1.6 or 1.7
from the Java website (www.java.com).
v If you are using the Firefox browser, you must configure your browser to accept
Java Network Language Protocol (JNLP) files.
v Plan your QRadar deployment, including the IP addresses and login information
for all devices in your deployment.

Procedure
1. Build your Event View.
2. Build your System View.
3. Configure components.
4. To stage your deployment, from the deployment editor menu, click File > Save
to Staging
5. To deploy all configuration changes, on the Admin tab, click Advanced >
Deploy Changes

Event view management

Use the Event View page to create and manage the components for your
deployment.

QRadar components
QRadar deployments consist of multiple components.

QRadar deployments include the following components:

Event Collector

Collects security events from various types of security devices, which are known as
log sources, in your network.

The Event Collector gathers events from local and remote log sources. The Event
Collector then normalizes the events and sends the information to the Event
Processor. The Event Collector also bundles all identical events to conserve system
usage.

A non-Console Event Processor can be connected to the Event Processor on the

QRadar Console or connected to another Event Processor in your deployment. The
Accumulator is responsible for gathering flow and event information from the
Event Processor.

The Event Processor on the QRadar Console is always connected to the Magistrate.
This connection cannot be deleted.

Chapter 9. Deployment editor 105

Off-site Source

Indicates an off-site data source that forwards normalized data to an Event

Collector. You can configure an off-site source to receive data and allows the data
to be encrypted before forwarding.

Off-site Target

Indicates an off-site device that receives event or flow data. An off-site target can
receive data only from an Event Collector.

Magistrate

The Magistrate component provides the core processing components of your

system. You can add one Magistrate component for each deployment. The
Magistrate provides views, reports, alerts, and analysis of network traffic and
security events. The Magistrate processes the events against the defined custom
rules to create an response. If no custom rules exist, the Magistrate uses the default
rule set to process the offending event.

The response is processed by using multiple inputs, individualevents, and

combined events with analyzed behavior and vulnerabilities. Magistrate prioritizes
the response and assigns a magnitude value that is based on several factors,
including the amount of responses, severity, relevance, and credibility.

When processed, the Magistrate produces a list for each source, providing you
with a list of attackers and their response for each event. After the Magistrate
establishes the magnitude, the Magistrate then provides multiple options for
resolution.

By default, the Event View page includes a Magistrate component.

Process to build your Event View

To build your Event View, do the following steps:

1. Add components to your view.
2. Connect the components.
3. Connect deployments.
4. Rename the components so each component has a unique name.

Adding components
When you configure your deployment, you must use the Event View page in the
deployment editor to add your components.

You can add the following QRadar components to your Event View page:
v Event Collector
v Event Processor
v Off-site source
v Off-site target

Procedure
1. On the Admin tab, click Deployment Editor.

106 QRadar Log Manager Administration Guide

2. In the Event Components pane, select a component that you want to add to
your deployment.
3. Type a unique name for the component you want to add and click Next.

Restriction: The name can be up to 20 characters in length and might include

underscores or hyphens.
4. From the Select a host to assign to list box, select a managed host, and then
click Next.
5. Click Finish.
6. Repeat steps 3 - 5 for each component you want to add to your view.
7. From the deployment editor menu, select File > Save to staging.
The deployment editor saves your changes to the staging area and
automatically closes.
8. On the Admin tab menu, click Deploy Changes.

Connecting components
After you add all the necessary components in your Event View page, you must
connect them.

About this task

Use the Event View page to connect components together. Some restrictions are
enforced. For example, you can connect an Event Collector to an Event Processor,
but not a Magistrate component.

The following table describes the components that you can connect.
Table 37. Description of supported component connections
Source connection Target connection Description
Event Collector Event Processor An Event Collector can be connected
only to one Event Processor.

A ConsoleEvent Collector can be

connected only to a Console Event
Processor. This connection cannot be
removed.

A non-Console Event Collector can

be connected to an Event Processor
on the same system.

A non-Console Event Collector can

be connected to a remote Event
Processor, but only if the Event
Processor does not exist on the
Console.
Event Collector Off-site target The number of connections is not
restricted.
Off-site source Event Collector The number of connections is not
restricted.
Event Processor Magistrate (MPC) Only one Event Processor can
connect to a Magistrate.

Chapter 9. Deployment editor 107

Table 37. Description of supported component connections (continued)
Source connection Target connection Description
Event Processor Event Processor
A Console Event Processor cannot
connect to a non-Console Event
Processor.

A non-Console Event Processor can

be connected to another Console or
non-Console Event Processor, but not
both at the same time.

A non-Console Event Processor is

connected to a Console Event
Processor when a non-Console
managed host is added.

Procedure
1. In the Event View page, select the component for which you want to establish a
connection.
2. Click Actions > Add Connection.
An arrow is displayed in your map. The arrow represents a connection between
two components.
3. Drag the end of the arrow to the component you want to establish a connection
to.
4. Click Save.
5. Repeat these steps for all remaining components that require connections.

Forwarding normalized events

To forward normalized events, configure an off-site Event Collector in your current
deployment to receive events from an associated off-site Event Collector in the
receiving deployment.

About this task

You can add the following components to your Event View page:
v An Off-site Source is an off-site Event Collector from which you want to
receive event data.

Restriction: The off-site source must be configured with appropriate permissions

to send event data to the off-site target.
v An Off-site Targetis an off-site Event Collector to which you want to send
event data.

Example:

To forward normalized event between two deployments (A and B), where

deployment B wants to receive events from deployment A:
1. Configure deployment A with an off-site target to provide the IP address of the
managed host that includes Event Collector B.
2. Connect Event Collector A to the off-site target.

108 QRadar Log Manager Administration Guide

3. In deployment B, configure an off-site source with the IP address of the
managed host that includes Event Collector A and the port that Event Collector
A is monitoring.

If you want to disconnect the off-site source, you must remove the connections
from both deployments. From deployment A, remove the off-site target and in
deployment B, remove the off-site source.

To enable encryption between deployments, you must enable encryption on both

off-site source and target. Also, you must ensure the SSH public key for the off-site
source (client) is available to the target (server) to ensure appropriate access. For
example, to enable encryption between the off-site source and Event Collector B,
you must copy the public key in the /root/.ssh/id_rsa.pub directory from the
off-site source to Event Collector. Add the contents of the file to
/root/.ssh/authorized_keysdirectory.

If the off-site source or target is an all-in-one system, the public key is not
automatically generated, therefore, you must manually generate the public key. For
more information about generating public keys, see your Linux documentation.

If you update your Event Collector configuration or the monitoring ports, you
must manually update your source and target configurations to maintain the
connection between deployments.

Procedure
1. On the Admin tab, click Deployment Editor.
2. In the Event Components pane, select Off-site Source or Off-site Target.
3. Type a unique name for the off-site source or off-site target. The name can be
up to 20 characters in length and might include underscores or hyphens. Click
Next.
4. Enter values for the parameters and click Finish.
The host name for the Enter a name for the off-site hostfield can contain a
maximum of 20 characters and can include underscores or hyphens characters.
If you select the Encrypt traffic from off-site source the check box, you must
also select the encryption check box on the associated off-site source and target.
5. Repeat for all remaining off-site sources and targets.
6. From the deployment editor menu, click File > Save to staging.
7. On the Admin tab menu, select Advanced > Deploy Full Configuration.

Renaming components
You must rename a component in your view to uniquely identify components
through your deployment.

Procedure
1. In the Event Components pane, select the component that you want to rename.
2. Click Actions > Rename Component.
3. Type a new name for the component.
The name must be alphanumeric with no special characters.
4. Click OK.

Chapter 9. Deployment editor 109

System view management
Use the System View page to select which components you want to run on each
managed host in your deployment.

Overview of the System View page

Use the System View page to manage all managed hosts in your network.

A managed host is a component in your network that includes QRadar software. If

you are using a QRadar appliance, the components for that appliance model are
displayed on the System View page. If your QRadar software is installed on your
own hardware, the System View page includes a Host Context component.

Use the System View page to do the following tasks:

v Add managed hosts to your deployment.
v Use NAT networks in your deployment.
v Update the managed host port configuration.
v Assign a component to a managed host.
v Configure host context.
v Configure an accumulator.

Software compatibility requirements for Console and

non-Console hosts
You cannot add, assign, or configure components on a non-Console managed host
when the QRadar version is incompatible with the version on the Console. If a
managed host was previously assigned components and is running an
incompatible version, you can still view the components. However, you are not
able to update or delete the components.

Encryption
Encryption provides greater security for all traffic between managed hosts. To
provide enhanced security, QRadar also provides integrated support for OpenSSH.
When integrated with QRadar, OpenSSH provides secure communication between
components.

Encryption occurs between managed hosts in your deployment, therefore, your

deployment must consist of more than one managed host before encryption is
possible. Encryption is enabled by using SSH tunnels (port forwarding) initiated
from the client. A client is the system that initiates a connection in a client/server
relationship. When encryption is enabled for a managed host, encryption tunnels
are created for all client applications on a managed host. Encryption tunnels
provide protected access to the respective servers. If you enable encryption on a
non-Console managed host, encryption tunnels are automatically created for
databases and other support service connections to the Console.

When you enable encryption on a managed host, the encryption SSH tunnel is
created on the client host. For example, the connection between the Event
Processor and Event Collector and the connection between the Event Processor and
Magistrate are encrypted. When you enable encryption on the QRadar Console, an
encryption tunnel is used when your search events by using the Offenses tab.

Tip: You can right-click a component to enable encryption between components.

110 QRadar Log Manager Administration Guide

Important: Enabling encryption reduces the performance of a managed host by at
least 50%.

Adding a managed host

Use the System View page of the deployment editor to add a managed host.

Before you begin

Ensure that you installed QRadar on the managed host.

If you want to enable Network Address Translation (NAT) for a managed host, the
network must use static NAT translation. For more information, see “NAT
management” on page 116.

If you want to add a NAT-enabled managed host to a Console that is not

configured to support NAT, you must disable NAT on the Console. For more
information, see “Changing the NAT status for a managed host” on page 117.

Procedure
1. Click Actions > Add a Managed Host.
2. Click Next.
3. Enter values for the parameters.
Use the following table to help you configure the parameters.
Table 38. Parameters for the managed host
Header Header
Host is NATed Select the check box to use an existing
Network Address Translation (NAT) on this
managed host.
Enable Encryption Select the check box to create an SSH
encryption tunnel for the host.
Select the check box to enable data
compression between two managed hosts.

4. If you selected the Host is NATed check box, configure the parameters.
Table 39. Parameters for a NAT-enabled network
Parameter Description
Enter public IP of the server or appliance The managed host uses this IP address to
to add communicate with other managed hosts in
different networks by using NAT.
Select NATed network If the managed host is on the same subnet
as the Console, select the Console of the
NAT-enabled network .

If the managed host is not on the same

subnet as the Console, select the managed
host of the NAT-enabled network.

5. Click Next.
6. Click Finish.
7. Deploy your changes.
Related concepts:

Chapter 9. Deployment editor 111

“NAT management” on page 116
Use the deployment editor to manage NAT-enabled deployments.

Editing a managed host

Use the System View page of the deployment editor to edit a managed host.

Before you begin

If you want to enable Network Address Translation (NAT) for a managed host, the
network must use static NAT translation. For more information, see “NAT
management” on page 116.

If you want to add a NAT-enabled managed host to a Console that is not

configured to support NAT, you must disable NAT on the Console. For more
information, see “Changing the NAT status for a managed host” on page 117.

Procedure
1. Click the System View tab.
2. Right-click the managed host that you want to edit and select Edit Managed
Host.
This option is available only when the selected component has a managed host
that is running a compatible version of QRadar.
3. Click Next.
4. Edit the parameter values, as necessary.
Use the following table to help you configure the parameters.
Table 40. Parameters for the managed host
Header Header
Host is NATed Select the check box to use an existing
Network Address Translation (NAT) on this
managed host.
Enable Encryption Select the check box to create an SSH
encryption tunnel for the host.
Select the check box to enable data
compression between two managed hosts.

5. If you selected the Host is NATed check box, configure the parameters.
Table 41. Parameters for a NAT-enabled network
Parameter Description
Enter public IP of the server or appliance The managed host uses this IP address to
to add communicate with other managed hosts in
different networks by using NAT.
Select NATed network If the managed host is on the same subnet
as the Console, select the Console of the
NAT-enabled network .

If the managed host is not on the same

subnet as the Console, select the managed
host of the NAT-enabled network.

6. Click Next.
7. Click Finish.

112 QRadar Log Manager Administration Guide

Removing a managed host
You can remove non-Console managed hosts from your deployment. You cannot
remove a managed host that hosts the QRadar Console.

Tip: The Remove host option is available only when the selected component has a
managed host that is running a compatible version of QRadar.

Procedure
1. Click the System View tab.
2. Right-click the managed host that you want to delete and select Remove host.
3. Click OK.
4. On the Admin tab menu, clickAdvanced > Deploy Full Configuration.

Configuring a managed host

Use the System View page of the deployment editor to configure a managed host.

Procedure
1. From the System View page, right-click the managed host that you want to
configure and click Configure.
2. Enter values for the parameters:
In the Ports to exclude field, use a comma to separate multiple ports
3. Click Save.

Assigning a component to a host

Use the System View page to assign the QRadar components that you added in the
Event View page to the managed hosts in your deployment.

Tip: The list box displays only the managed hosts that are running a compatible
version of QRadar.

Procedure
1. Click the System View tab.
2. From the Managed Host list, select the managed host that you want to assign a
QRadar component to.
3. Select the component that you want to assign to a managed host.
4. From the menu, select Actions > Assign.
5. From the Select a host list box, select the host that you want to assign to this
component. Click Next.
6. Click Finish.

Configuring Host Context

Use the System View page of the deployment editor to configure the Host Context
component on a managed host.

The Host Context component monitors all QRadar components to make sure that
each component is operating as expected.

Procedure
1. In the deployment editor, click the System View tab.
2. Select the managed host that includes the host context you want to configure.

Chapter 9. Deployment editor 113

3. Select the Host Context component.
4. Click Actions > Configure.
5. Enter values for the parameters.
Table 42. Host Context parameters
Parameter Description
Warning Threshold When the configured threshold of disk usage
is exceeded, an email is sent to the
administrator that indicates the current state
of disk usage.

The default warning threshold is 0.75.

Therefore, when disk usage exceeds 75%, an
email that indicates that disk usage is
exceeding 75% is sent.

If disk usage continues to increase above the

configured threshold, a new email is sent
after every 5% increase in usage. By default,
Host Context monitors the following
partitions for disk usage:
v /
v /store
v /store/tmp
Note: Notification emails are sent from the
email address that is specified in the Alert
Email From Address parameter to the email
address specified in the Administrative
Email Address parameter. These parameters
are configured on the System Settings
window. For more information, see
Chapter 5, “Set up QRadar Log Manager,”
on page 51.
Recovery Threshold
When the system exceeds the shutdown
threshold, disk usage must fall below the
recovery threshold before processes are
restarted. The default is 0.90. Therefore,
processes are not restarted until disk usage
is below 90%.
Note: Notification emails are sent from the
email address that is specified in the Alert
Email From Address parameter to the email
address specified in the Administrative
Email Address parameter. These parameters
are configured on the System Settings
window. For more information, see
Chapter 5, “Set up QRadar Log Manager,”
on page 51.

114 QRadar Log Manager Administration Guide

Table 42. Host Context parameters (continued)
Parameter Description
Shutdown Threshold
When the system exceeds the shutdown
threshold, all processes are stopped. An
email is sent to the administrator that
indicates the current state of the system. The
default is 0.95, therefore, when disk usage
exceeds 95%, all processes stop.
Note: Notification emails are sent from the
email address that is specified in the Alert
Email From Address parameter to the email
address specified in the Administrative
Email Address parameter. These parameters
are configured on the System Settings
window.
Note: For more information, see Chapter 5,
“Set up QRadar Log Manager,” on page 51.
Inspection Interval The frequency, in milliseconds, that you
want to determine disk usage.
Inspection Interval The frequency, in milliseconds, that you
want to inspect SAR output.
Alert Interval The frequency, in milliseconds, that you
want to be notified that the threshold was
exceeded.
Time Resolution The time, in seconds, that you want the SAR
inspection to be engaged.
Inspection Interval The frequency, in milliseconds, that you
want to monitor the log files.
Monitored SYSLOG File Name A file name for the SYSLOG file.
Alert Size The maximum number of lines you want to
monitor from the log file.

6. Click Save .

Configuring an accumulator
Use the System View page of the deployment editor to configure the accumulator
component on a managed host.

The accumulator component assists with data collection and anomaly detection for
the Event Processor on a managed host. The accumulator component is responsible
for receiving streams of events from the local Event Processor, writing database
data, and contains the anomaly detection engine (ADE).

Procedure
1. In the deployment editor, click the System View tab.
2. Select the managed host that you want to configure.
3. Select the accumulator component.
4. Click Actions > Configure.
5. Configure the parameters.

Chapter 9. Deployment editor 115

Table 43. Accumulator parameters
Parameter Description
Central Accumulator Specifies whether the current component is a
central accumulator. A central accumulator
exists only on a Console system.
Anomaly Detection Engine
ADE is responsible for analyzing network
data and forwarding the data to the rule
system for resolution.

For the central accumulator, type the address

and port using the following syntax:
<Console>:<port>

For a non-central accumulator, type the

address and port using the following syntax:
<non-Console IP Address>:<port>
Alerts DSM Address The device system module (DSM) address
that is used to forwarding alerts from the
accumulator.

Use the following syntax: <DSM_IP

address>:<DSM port number> .

6. Click Save.

NAT management
Use the deployment editor to manage NAT-enabled deployments.

Network address translation (NAT) translates an IP address in one network to a

different IP address in another network. NAT provides increased security for your
deployment since requests are managed through the translation process and hides
internal IP addresses.

You can add a non-NAT-enabled managed host by using inbound NAT for a public
IP address. You can also use a dynamic IP address for outbound NAT. However,
both must be on the same switch as the Console or managed host. You must
configure the managed host to use the same IP address for the public and private
IP addresses.

When you add or edit a managed host, you can enable NAT for that managed
host. You can also use the deployment editor to manage your NAT-enabled
networks.

Adding a NAT-enabled network to QRadar

Use the deployment editor to add a NAT-enabled network to your QRadar
deployment.

Before you begin

Ensure that you set up your NAT-enabled networks by using static NAT
translation. This setup ensures that communications between managed hosts that
exist within different NAT-enabled networks.

116 QRadar Log Manager Administration Guide

Procedure
1. In the deployment editor, click the NATed Networks icon.
2. Click Add.
3. Type a name for a network you want to use for NAT.
4. Click OK.
The Manage NATed Networks window is displayed, including the added
NAT-enabled network.
5. Click OK.
6. Click Yes.

Editing a NAT-enabled network

Using the deployment editor, you can edit a NAT-enabled network.

Procedure
1. In the deployment editor, click the NATed Networks icon.
2. Select the NAT-enabled network that you want to edit, and click Edit.
3. Type a new name for of the NAT-enabled network and click OK.
The Manage NATed Networks window shows the updated NAT-enabled
networks.
4. Click OK.
5. Click Yes.

Deleting a NAT-enabled network from QRadar

Use the deployment editor to delete a NAT-enabled network from your
deployment:

Procedure
1. In the deployment editor, click the NATed Networks icon.
2. Select the NAT-enabled network you want to delete.
3. Click Delete.
4. Click OK.
5. Click Yes.

Changing the NAT status for a managed host

Use the deployment editor to change the NAT status of a managed host in your
deployment.

Before you begin

If you want to enable NAT for a managed host, the NAT-enabled network must be
using static NAT translation.

To change your NAT status for a managed host, make sure you update the
managed host configuration within QRadar before you update the device.
Updating the configuration first prevents the host from becoming unreachable and
you can deploy changes to that host.

Procedure
1. In the deployment editor, click the System View tab.

Chapter 9. Deployment editor 117

2. Right-click the managed host that you want to edit and select Edit Managed
Host.
3. Click Next.
4. Choose one of the following options:
v If you want to enable NAT for the managed host, select the Host is NATed
check box and click Next.
v If you want to disable NAT for the managed host, clear the Host is NATed
check box.

Important: When you change the NAT status for an existing managed host,
error messages might be displayed. Ignore these error messages.
5. If you enabled NAT, select a NAT-enabled network, and enter values for the
parameters:
Table 44.
Parameter Description
Change public IP of the server or appliance The managed host uses this IP address to
to add communicate with another managed host
that belongs to a different network by using
NAT.
Select NATed network Update the NAT-enabled network
configuration.
Manage NATs List - Network address translation (NAT)
translates an IP address in one network to a
different IP address in another network.
NAT provides increased security for your
deployment since requests are managed
through the translation process and hides
internal IP addresses.

For more information, see “NAT

management” on page 116.

6. Click Next.
7. Click Finish.
8. Update the configuration for the device (firewall) to which the managed host is
communicating.
9. On the Admin tab menu, click Advanced > Deploy Full Configuration.

Component configuration
Use the deployment editor to configure each component in your deployment.

Configuring an Event Collector

Use the deployment editor to configure an Event Collector.

Procedure
1. From either the Event View or System View page, select the Event Collector
that you want to configure.
2. Click Actions > Configure.
3. Enter values for the following parameters:

118 QRadar Log Manager Administration Guide

Parameter Description
Destination Event Processor
Specifies the Event Processor component
that is connected to this Event Collector. The
connection is displayed in the following
format: <Host IP Address>:<Port>.
Event Forwarding Listen Port The Event Collector event forwarding port.

4. On the toolbar, click Advanced to display the advanced parameters.

5. Configure the advanced parameters, as necessary.
Table 45. Event Collector advanced parameters
Parameter Description
Primary Collector Truespecifies that the Event Collector is on a
Console system.

False specifies that the Event Collector is on

a non-Console system.
Autodetection Enabled
Yes enables the Event Collector to
automatically analyze and accept traffic from
previously unknown log sources. The
appropriate firewall ports are opened to
enable Autodetection to receive events. This
option is the default.

No prevents the Event Collector from

automatically analyzing and accepting traffic
from previously unknown log sources.

For more information, see the Managing Log

Sources Guide.
Forward Events Already Seen True enables the Event Collector to forward
events that was detected on the system.

False prevents the Event Collector from

forwarding events that was detected on the
system. This option prevents event-looping
on your system.

6. Click Save.
7. Repeat for all Event Collectors in your deployment you want to configure.
Related concepts:
“QRadar components” on page 105
QRadar deployments consist of multiple components.

Configuring an Event Processor

Use the deployment editor to configure an Event Processor.

Procedure
1. From either the Event View or System View page, select the Event Processor
that you want to configure.
2. Click Actions > Configure.
3. Enter values for the parameters:

Chapter 9. Deployment editor 119

Table 46. Parameter values for the Event Processor
Parameter Description
Event Collector Connections Listen Port The port that the Event Processor monitors
for incoming Event Collector connections.
The default value is port 32005.
Event Processor Connections Listen Port The port that the Event Processor monitors
for incoming Event Processor connections.

The default value is port 32007.

4. On the toolbar, click Advanced to display the advanced parameters.

5. Enter values for the parameters, as necessary.
Table 47. Event Processor advanced parameters
Parameter Description
Test Rules
The test rules list is available only for
non-Console Event Processors. If a rule is
configured to test locally, the Globally
option does not override the rule setting.

If you selectLocally, rules are tested on the

Event Processor and not shared with the
system.

If you select Globally, individual rules for

every Event Processor are shared and tested
system wide. Each rule can be toggled to
Global for detection by any Event Processor
on the system.

For example, you can create a rule to alert

you when there are five failed login
attempts within 5 minutes. When the Event
Processor that contains the local rule
observes five failed login attempts, the rule
generates a response. If the rule in the
example is set to Global, when five failed
login attempts within 5 minutes are detected
on any Event Processor, the rule generates a
response. When rules are shared globally,
the rule can detect when one failed login
attempt comes from five event processors.

Testing rules globally is the default for

non-Console Event Processor with each rule
on the Event Processorset to test locally.
Overflow Event Routing Threshold Type the events per second threshold that
the Event Processor can manage. Events
over this threshold are placed in the cache.
Events database path Type the location that you want to store
events. The default is /store/ariel/events.
Payloads database length The location that you want to store payload
information.

The default is /store/ariel/payloads .

6. Click Save.

120 QRadar Log Manager Administration Guide

7. Repeat for all Event Processors in your deployment you want to configure.
Related concepts:
“QRadar components” on page 105
QRadar deployments consist of multiple components.

Configuring the Magistrate

Use the deployment editor to configure a Magistratecomponent.

Procedure
1. From either the Event View or System View page, select the Magistrate that
you want to configure.
2. Click Actions > Configure.
3. On the toolbar, click Advanced to display the advanced parameters.
4. In the Overflow Routing Threshold field, type the events per second threshold
that the Magistrate can manage events.
Events over this threshold are placed in the cache.
The default is 20,000.
5. Click Save.
Related concepts:
“QRadar components” on page 105
QRadar deployments consist of multiple components.

Configuring an off-site source

Use the deployment editor to configure an off-site source.

About this task

To prevent connection errors, when you configure off-site source and target
components, deploy the QRadar Console with the off-site source first. Then deploy
the QRadar Console with the off-site target.

Procedure
1. From either the Event View or System View page, select the Event Collector
that you want to configure.
2. Click Actions > Configure.
3. Enter the parameter values.

Parameter Description
Receive Events True enables the system to receive events
from the off-site source host.

False prevents the system from receiving

events from the off-site source host.

4. Click Save.
5. Repeat for all off-site sources in your deployment you want to configure.
Related concepts:
“QRadar components” on page 105
QRadar deployments consist of multiple components.

Chapter 9. Deployment editor 121

Configuring an off-site target
Use the deployment editor to configure an off-site target.

About this task

To prevent connection errors, when you configure off-site source and target
components, deploy the QRadar Console with the off-site source first. Then, deploy
the QRadar Console with the off-site target.

Procedure
1. From either the Event View or System View page, select the Event Collector
that you want to configure.
2. Click Actions > Configure.
3. Enter values for the parameters:

Parameter Description
Event Collector Listen Port The Event Collector listen port for receiving
event data.

The default port for events is 32004.

4. Click Save.
Related concepts:
“QRadar components” on page 105
QRadar deployments consist of multiple components.

122 QRadar Log Manager Administration Guide

Chapter 10. Data forwarding
You can configure IBM Security QRadar systems to forward data to one or more
vendor systems, such as ticketing or alerting systems.

Forwarding Destinations

You can forward raw event data that is received from log sources to one or more
vendor systems. In the user interface, these vendor systems are called forwarding
destinations. You can also forward normalized data to other QRadar systems.
QRadar ensures that all forwarded data is unaltered.

Configuration process for forwarding data

To configure forwarding, use the following steps:

1. Configure one or more forwarding destinations.
2. To determine what data you want to forward, configure routing rules, custom
rules, or both .
3. Configure the routing options to apply to the data.

For example, you can configure all data from a specific event collector to forward
to a specific ticketing system. You can also choose from various routing options
such as removing the data that matches a routing rule and thereby bypassing
correlation.

Adding forwarding destinations

Before you can configure bulk or select data forwarding, you must add forwarding
destinations.

Procedure
1. Click the Admin tab.
2. In the navigation pane, click System Configuration.
3. Click the Forwarding Destinations icon.
4. On the toolbar, click Add.
5. In the Forwarding Destinations window, enter values for the parameters.
The following table describes some of the Forwarding Destinations parameters.
Table 48. Forwarding Destinations parameters
Parameter Description
Event Format v Payload is the data in the format that the log source sent.
v Normalized is raw data that is parsed and prepared as readable
information for the user interface.
Destination The IP address or host name of the vendor system that you want to
Address forward data to.

Table 48. Forwarding Destinations parameters (continued)
Parameter Description
Protocol v TCP
Use the TCP protocol to send normalized data by using the TCP
protocol, you must create an off-site source at the destination
address on port 32004.
For more information about creating off-site sources, see Chapter 9,
“Deployment editor,” on page 103.
v UDP
Prefix a syslog
header if it is If a valid syslog header is not detected on the original syslog
missing or invalid message, select this check box. The prefixed syslog header includes
the QRadar SIEM appliance host IP address in the Hostname field of
the syslog header. If this check box is not selected, the data is sent
unmodified.

When QRadar forwards syslog messages, the outbound message is

verified to ensure that it has a valid syslog header.

6. Click Save.

Viewing and managing forwarding destinations

Use the Forwarding Destination window to view, edit, and delete forwarding
destinations.

Procedure
1. Click the Admin tab.
2. In the navigation pane, click System Configuration.
3. Click the Forwarding Destinations icon.
Statistics for the data sent to each forwarding destination is displayed. For
example, you can see the following information:
v The total number events that were seen for this forwarding destination.
v The number of events that were sent to this forwarding destination.
v The number of events that were dropped before the forwarding destination
was reached.
4. On the toolbar, click an action, as described in the following table.
Table 49. Description of the Forwarding Destination toolbar actions
Action Description
Reset Counters Resets the counters for the Seen, Sent, and
Dropped parameters to zero, and the
counters start accumulating again.
Tip: You can reset the counters to provide a
more targeted view of the performance of
your forwarding destinations.
Edit Changes the configured name, format, IP
address, port, or protocol.

124 QRadar Log Manager Administration Guide

Table 49. Description of the Forwarding Destination toolbar actions (continued)
Action Description
Delete Deletes a forwarding destination

If the forwarding destination is associated

with any active rules, you must confirm that
you want to delete the forwarding
destination.

Configuring routing rules for bulk forwarding

After you added one or more forwarding destinations, you can create filter-based
routing rules to forward large quantities of data.

About this task

You can configure routing rules to forward data in either online or offline mode:
v In Online mode, your data remains current because forwarding is performed in
real time. If the forwarding destination becomes unreachable, data can
potentially be lost.
v In Offline mode, all data is stored in the database and then sent to the
forwarding destination. This assures that no data is lost, however, there might be
delays in data forwarding.

The following table describes some of the Routing Rules parameters

Table 50. Routing Rules window parameters
Parameter Description
Forwarding Event Collector This option is displayed when you select the
Online option.

Specifies theEvent Collector that you want

this routing rule process data from.
Forwarding Event Processor This option is displayed when you select the
Offline option.

Specifies the Event Processor that you want

this routing rule process data from.
Restriction: This option is not available if
Drop is selected from the Routing Options
pane.

Chapter 10. Data forwarding 125

Table 50. Routing Rules window parameters (continued)
Parameter Description
Routing Options v The Forward option specifies that data is
forwarded to the specified forwarding
destination. Data is also stored in the
database and processed by the Custom
Rules Engine (CRE).
v The Drop option specifies that data is not
stored in the database and is not
processed by the CRE. The data is not
forwarded to a forwarding destination,
but it is processed by the CRE. This
option is not available if you select the
Offline option.
v The Bypass Correlation option specifies
that data is not processed by the CRE, but
it is stored in the database. This option is
not available if you select the Offline
option.

You can combine two options:

v Forward and Drop
Data is forwarded to the specified
forwarding destination. Data is not stored
in the database and is processed by the
CRE.
v Forward and Bypass Correlation
Data is forwarded to the specified
forwarding destination. Data is also stored
in the database, but it is not processed by
the CRE. The CRE at the forwarded
destination processes the data.

If data matches multiple rules, the safest

routing option is applied. For example, if
data that matches a rule that is configured to
drop and a rule to bypass CRE processing,
the data is not dropped. Instead, the data
bypasses the CRE and is stored in the
database.

All events are counted against the EPS

license.

Procedure
1. Click the Admin tab.
2. In the navigation pane, click System Configuration.
3. Click the Routing Rules icon.
4. On the toolbar, click Add.
5. In the Routing Rules window, enter values for the parameters.
a. Type a name and description for your routing rule.
b. From the Mode field, select one of the following options: Online or Offline.
c. From the Forwarding Event Collector or Forwarding Event Processor list,
select the event collector from which you want to forward data.

126 QRadar Log Manager Administration Guide

d. To forward all incoming data, select the Match All Incoming Events check
box.

Restriction: If you select this check box, you cannot add a filter.
e. To add a filter, in the Event Filters section, select a filter from the first list
and an operand from the second list.
f. In the text box, type the value that you want to filter for, and then click Add
Filter.
g. Repeat the previous two steps for each filter that you want to add.
h. To forward log data that matches the current filters, select the Forward
check box, and then select the check box for each preferred forwarding
destination.

Restriction: If you select the Forward check box, you can also select either
the Drop or Bypass Correlation check boxes, but not both of them.
If you want to edit, add, or delete a forwarding destination, click the
Manage Destinations link.
6. Click Save.

Viewing and managing routing rules

The Event Routing Rules window provides valuable information about your
routing rules. You can view or manage configured filters and actions when data
matches each rule.

Use the Event Routing Rules window to edit, enable, disable, or delete a rule. You
can edit a routing rule to change the configured name, Event Collector, filters, or
routing options.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the Routing Rules icon.
4. Select the routing rule you want to manage.
5. To edit the routing rule, on the toolbar, click Edit and update the parameters.
6. To remove the routing rule, on the toolbar, click Delete.
7. To enable or disable the routing rule, on the toolbar, click Enable/Disable.
If you enable a routing rule that is configured to drop events, a confirmation
message is displayed.

Configuring selective forwarding

Use the Custom Rule wizard to configure highly selective event data forwarding.
Configure rules that forward event data to one or more forwarding destinations as
a rule response.

About this task

The criteria that determines the event data that is sent to a forwarding destination
is based on the tests and building blocks that are included in the rule. When the
rule is configured and enabled, all event data that matches the rule tests are
automatically sent to the specified forwarding destinations. For more information

Chapter 10. Data forwarding 127

about how to edit or add a rule, see the see the User Guide for your product.

Procedure
1. Click the tab.
2. From the Rules menu, select Rules.
3. Edit or add a rule. On the Rule Response page in the Rule wizard, ensure that
you select the Send to Forwarding Destinations option.

128 QRadar Log Manager Administration Guide

Chapter 11. Event store and forward
Use the Store and Forward feature to manage schedules for forwarding events
from your dedicated Event Collectorappliances to Event Processorcomponents in
your deployment.

The Store and Forward feature is supported on the Event Collector 1501 and Event
Collector 1590. For more information about these appliances, see the QRadar
Hardware Guide.

A dedicated Event Collector does not process events and it does not include an
on-board Event Processor. By default, a dedicated Event Collector continuously
forwards events to an Event Processor that you must connect by using the
Deployment Editor. Use the Store and Forward feature to schedule a time range
for when you want the Event Collector to forward events. During the time when
events are not forwarding, the events are stored locally on the appliance. The
events are not accessible in the QRadar Console user interface.

Use the scheduling feature to store events during your business hours. Forward
the events to an Event Processor when the transmission does not negatively affect
your network bandwidth. For example, you can configure an Event Collector to
forward events to an Event Processor during non-business hours.

Viewing the Store and Forward schedule list

Use the Store and Forward window to see a list of schedules. The schedules
include statistics that help you evaluate the status, performance, and progress of
your schedules.

Before you begin

You must create a schedule. By default, the first time that you access the Store and
Forward window, no schedules are listed.

About this task

You can use options on the toolbar and the Display list box to change your view
of the schedule list. Change your view of the list to focus on the statistics from
various points of view. For example, if you want to view the statistics for a
particular Event Collector, you can select Event Collectors from the Display list.
The list then groups by the Event Collector column and makes it easier for you to
locate the Event Collector that you want to investigate.

By default, the Store and Forward list is configured to display the list that is
organized by the schedule (Display > Schedules).

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the Store and Forward icon.
4. In the Store and Forward window, view the parameters for each schedule.

The following table describes some of the parameters for the schedule.
Table 51. Store and Forward window parameters
Parameter Description
Display The Schedules option shows a hierarchy of
the parent-child relationship between the
schedules, Event Processors and the
associated Event Collectors.

The Event Collectorsoption shows the

lowest level in the hierarchy, which is a list
of Event Collectors.

Event Processorsoption shows a hierarchy of

the parent-child relationship between the
Event Processors and the associated Event
Collectors.
Name
For the Schedules option, the Name column
is displayed the following format.
v First Levelrepresents the name of the
schedule.
v Second Levelrepresents the name of the
Event Processor.
v Third Levelrepresents the name of the
Event Collector.

For the Event Processorsoption, the column

is displayed in the following format
v First Levelrepresents the name of the
Event Processor.
v Second Levelrepresents the name of the
Event Collector.
Tip: You can use the plus symbol (+) and
minus symbol (-) beside the name or options
on the toolbar to expand and collapse the
hierarchy tree. You can also expand and
collapse the hierarchy tree by using options
on the toolbar.
Schedule Name
Displays the name of the schedule for the
Event Collectors or Event Processors
options.

If an Event Processor is associated with

more than one schedule, the Schedule Name
shows Multiplen, where n is the number of
schedules.
Tip: Click the plus symbol (+) to view the
associated schedules.

130 QRadar Log Manager Administration Guide

Table 51. Store and Forward window parameters (continued)
Parameter Description
Last Status
Displays the status of the Store and Forward
process:
v Forwardingindicates that event
forwarding is in progress.
v Forward Complete indicates that event
forwarding is successfully completed and
events are stored locally on the Event
Collector. The stored events are forwarded
when the schedule indicates that
forwarding can start again.
v Warn indicates that the percentage of
events that are remaining in storage
exceeds the percentage of time that is
remaining in the Store and Forward
schedule.
v Error indicates that event forwarding was
stopped before all stored events were
forwarded.
v Inactive indicates that no Event
Collectors are assigned to the schedule, or
the assigned Event Collectors are not
receiving any events.
Tip: Move your mouse pointer over the Last
Status column to view a summary of the
status.
Forwarded Events
Displays the number of events (in K, M, or
G) forwarded in the current session.
Tip: Move your mouse pointer over the
value in the Forwarded Events column to
view the number of events.
Remaining Events
Displays the number of events (in K, M, or
G) remaining to be forwarded in the current
session.
Tip: Move your mouse pointer over the
value in the Remaining Events column to
view the number of events.
Average Event Rate
Displays the average rate at which events
are forwarding from the Event Collector to
the Event Processor.
Tip: Move your mouse pointer over the
value in the Average Event Rate column to
view the average events per second (EPS).
Current Event Rate
Displays the rate at which events are
forwarding from the Event Collector to the
Event Processor
Tip: Move your mouse pointer over the
value in the Current Event Rate column to
view the current events per second (EPS)

Chapter 11. Event store and forward 131

Table 51. Store and Forward window parameters (continued)
Parameter Description
Transfer Rate Limit The transfer rate limit is configurable.

The transfer rate limit can be configured to

display in kilobit per second (kbps),
megabits per second (Mbps), or gigabits per
second (Gbps)..

Creating a new Store and Forward schedule

Use the Store and Forward Schedule wizard to create a schedule that controls
when your Event Collector starts and stops forwarding data to an Event Processor.

You can create and manage multiple schedules to control event forwarding from
multiple Event Collectors in a geographically distributed deployment.

Before you begin

Ensure that your dedicated Event Collector is added to your deployment and
connected to an Event Processor. The connection between an Event Collectorand an
Event Processor is configured in the Deployment Editor.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the Store and Forward icon.
4. Click Actions > Create.
a. Click Next to move to the Select Collectors page.
b. On the Select Collectors page, configure the parameters.
If the Event Collector that you want to configure is not listed, it might not
be added to your deployment. If so, use the Deployment Editor to add the
Event Collector and then proceed.
c. On the Schedule Options page, configure the parameters.
To configure the forward transfer rate, the minimum transfer rate is 0. The
maximum transfer rate is 9,999,999. A value of 0 means that the transfer rate
is unlimited.
d. Finish the configuration.
You can now view the schedule in the Store and Forward window. After
you create a new schedule, it might take up to 10 minutes for statistics to
start displaying in the Store and Forward window.
Related concepts:
“Event view management” on page 105
Use the Event View page to create and manage the components for your
deployment.
Chapter 9, “Deployment editor,” on page 103
Use the deployment editor to manage the individual components of your QRadar.
After you configure your deployment, you can access and configure the individual
components of each managed host in your deployment.

132 QRadar Log Manager Administration Guide

Editing a Store and Forward schedule
You can edit a Store and Forward schedule to add or remove Event Collectors and
change the schedule parameters. After you edit a Store and Forward schedule, the
statistics that are displayed in the Store and Forward list are reset.

Procedure
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the Store and Forward icon.
4. Select the schedule that you want to edit.
5. Click Actions > Edit.
You can also double-click a schedule for editing.
6. Click Next to move to the Select Collectors page.
7. On the Select Collectors page, edit the parameters.
8. Click Next to move to the Schedule Options page.
9. On the Schedule Options page, edit the scheduling parameters.
10. Click Next to move to the Summary page.
11. On the Summary page, confirm the options that you edited for this schedule.
After you edit a schedule, it might take up to 10 minutes for statistics to
update in the Store and Forward window.

Deleting a Store and Forward schedule

You can delete a Store and Forward schedule.

Procedure
1. On the navigation menu, click System Configuration .
2. Click the Store and Forward icon.
3. Select the schedule that you want to delete.
4. Click Actions > Delete.
After the schedule is deleted, the associated Event Collectors resume
continuous forwarding of events to their assigned Event Processor.

Chapter 11. Event store and forward 133

134 QRadar Log Manager Administration Guide
Chapter 12. Data obfuscation
To prevent unauthorized access to sensitive or user identifiable information, data
obfuscation encrypts sensitive event data.

Any information from the event payload, such as user name, card number, or host
name fields can be obfuscated. Use data obfuscation to help meet regulatory
commission requirements and corporate privacy policies.

To configure and manage obfuscated data, do the following tasks:

1. Generate an RSA private/public key pair.
The obfuscation process requires that you create a public and private key for
your QRadar SIEM Console.
Unauthorized users that attempt to query the Ariel database directly cannot
view sensitive data without using the public and private decryption key.
The public key remains on the QRadar Console and you must store the private
key in a secure location. The private key contains the decryption key that is
required for administrators to view the unobfuscated data.
The obfuscation_updater.sh script installs the public key on your system and
configures regular expression (regex) statements. The regex statements define
the parameters that you want masked.
2. Configure data obfuscation.
Data obfuscation encrypts new events as they are processed and normalized by
QRadar. The obfuscation process evaluates the obfuscation expression and
verifies that the raw event and normalized event contain the data that is
required to mask the data. The data that is defined in the obfuscation
expression is matched to the event data, encrypted, and then written to the
Ariel database.
The obfuscation_expressions.xml file specifies regular expression (regex)
statements that identify the data that you want to obfuscate. Any text within an
event that matches the regular expressions that are specified in the
obfuscation_expressions.xml is encrypted in both the event payload and
normalized fields
3. When required, decrypt data obfuscation.
When suspicious activity occurs on your network, you can decrypt obfuscated
data so that you can investigate all data that is involved in the activity.
The obfuscation_decoder.sh script decrypts the specific encrypted value that
you want to investigate.

Data obfuscation overview

When data obfuscation is configured on an QRadar system, the encrypted version
of the data is displayed in the columns and parameters on the user interface. Use a
command-line interface (CLI) utility to decrypt the obfuscated data.

Data obfuscation occurs at the event level in your QRadar deployment. As events
are provided to the appliances in your deployment, the raw event is processed and
normalized. The obfuscation process evaluates the obfuscation expression and
verifies that the raw event and normalized event contain the data that is required

to complete the obfuscation. The data that is defined in the obfuscation expression
is then matched in the event and the data is encrypted before it is written to the
disk.

The obfuscated data from the event pipeline is written in the obfuscated format to
the Ariel database. Unauthorized users that attempt to query the database directly
cannot view sensitive data without the public and private decryption key.

The obfuscation process requires that you create a public and private key for your
Console. The public key remains on the Console and the private key must be
stored in a secure location. The private key contains the decryption key that is
required for administrators to view the unobfuscated data.

Data obfuscation encrypts new events as they are received by QRadar. Events in
the /store directory prior to enabling data obfuscation will remain in their current
state.

Any log source extensions that change the format of the event payload can cause
issues with data obfuscation.

User names and host name data that are part of the asset profile before your
upgrade to QRadar 7.2 might not display obfuscated data as expected. To
obfuscate asset profile data, you can use the Delete Listed option from the Assets
tab, which removes the unobfuscated hosts and user names. You can then run
vulnerability scans and wait for the asset data to repopulate. After a few days you
can run the Server Discovery tool to repopulate the data for building blocks on
your system.

To obfuscate data on a QRadar system, use the following utilities:

obfuscation_updater.sh
Use the obfuscation_updater.sh script to install the public key on your
system and configure regular expression (Regex) statements to define what
parameters you want obfuscated.
obfuscation_expressions.xml
Use the obfuscation_expressions.xml file to specify regular expression
(regex) statements that identify the data you want to obfuscate. Any text
within an event that matches the regular expressions that are specified in
the obfuscation_expressions.xml is encrypted. Data is encrypted, both in
the event payload and in any normalized fields.
obfuscation_decoder.sh
When you need to investigate the unencrypted version of the data, you
must use the obfuscation_decoder.sh utility to decrypt the specific
encrypted value you want to investigate.

To configure and manage obfuscated data, perform the following tasks:

1. Generate an RSA private/public key pair. See “Generating a private/public key
pair.”
2. Configure data obfuscation. See “Configuring data obfuscation” on page 138.
3. When required, decrypt data obfuscation. See “Decrypting obfuscated data” on
page 140.

Generating a private/public key pair

Data obfuscation and decryption requires an RSA private/public key pair.

136 QRadar Log Manager Administration Guide

Procedure
1. Using SSH, log in to your QRadar Console as the root user.
2. To generate an RSA private key, type the following command:
openssl genrsa [-out filename] [numbits]
The following table describes the command options.
Table 52. Command options for generating the RSA private key
Option Description
[-out filename] The file name of the RSA private key file
[numbits] Specifies the size, in bits, of the private key

The default size is 512.

Example: The following command generates a private key named mykey.pem.

The size of the private key is 512 bits.

openssl genrsa -out mykey.pem 512

3. To format the private key, type the following command:
openssl pkcs8 [-topk8] [-inform PEM] [-outform PEM] [-in filename] [-out
filename] [-nocrypt]
The following table describes the command options.
Table 53. Options to format the private key
Option Description
[-topk8] Reads a traditional format private key and
writes the private key in PKCS #8 format
[-inform] The input format of the private key as
Privacy Enhanced Mail (.PEM)
Example: -inform PEM
[-outform] The format of the private key output as .PEM
Example: -outform PEM
[-in filename] The file name for the private key
[-outfilename] The output file name
[-nocrypt] Specifies that the private key uses the
unencrypted PrivateKeyInfo format.

Example: The following command writes the private key in PKCS #8 format
and uses PEM input format. The private key is output in PEM format, is
named mykey.pem, and uses an unencrypted format.

openssl pkcs8 -topk8 -inform PEM -outform PEM -in mykey.pem -out
private_key.pem -nocrypt
4. To generate the RSA public key, type the following command:
openssl rsa [-in filename] [-pubout] [-outform DER] [-out filename]
The following table describes the command options
Table 54. Command options for generating the public key
Option Description
[-in filename] Specifies the input file name

Chapter 12. Data obfuscation 137

Table 54. Command options for generating the public key (continued)
Option Description
[-pubout] Generates a public key
[-outform DER] The type of the public key file as DER
Encoded X509 Certificate file (.DER)
[-out filename] The public key file name

Example: In this example, the following keys are generated:

v mykey.pem
v private_key.pem
v public_key.der
openssl rsa -in mykey.pem -pubout -outform DER -out public_key.der
5. Delete the mykey.pem file from your system.
6. To install the public key, type the following command:
obfuscation_updater.sh [-k filename]
[-k filename] specifies the file name for the public key file that you want to
install.

Example: The following command installs the public key named

public_key.der .

obfuscation_updater.sh -k public_key.der

Restriction: Only one public key can be installed for each system. After you
install a public key, the key cannot be overwritten.
After you install the public key on your QRadar Console, the QRadar Console
ensures that the managed hosts obfuscate the data to match your obfuscation
expression patterns.

What to do next

To avoid unauthorized access to the obfuscated data, remove the private key file
from your system. Store it in a secure location and create a backup of the private
key. Follow local regulations for storage of the private key.

Configuring data obfuscation

Use the obfuscation_updater.sh script to set up and configure data obfuscation.

Restriction: Events that are in the /store directory before you enable data
obfuscation remain in their current state.

Any log source extensions that change the format of the event payload can cause
issues with data .

Procedure
1. Using SSH, log in to your QRadar Console as the root user:
2. To configure data obfuscation, type the following command:
You can run the obfuscation_updater.sh script from any directory on your
QRadar Console.

138 QRadar Log Manager Administration Guide

obfuscation_updater.sh [-p filename] [-e filename]
[-p filename] specifies the private key input file name.
[-e filename] specifies the obfuscation expression XML input file name.

Example: The following command uses a file named private_key.pem as the

private key and a file named obfuscation_expressions.xml as the obfuscation
expression file.

obfuscation_updater.sh -p private_key.pem -e obfuscation_expressions.xml

3. Configure the attributes of the obfuscation_expressions.xml file.
The obfuscation_expressions.xml file defines the regular expressions that are
used to obfuscate data. You can add multiple regular expressions.
The following table describes the obfuscation_expressions.xml file attributes
that you can configure.
Table 55. Attributes of the obfuscation_expressions.xml file
Database table that contains
Attributes Description the attribute value
<expression name> A unique name to identify
the regular expression
<regex> The regular expression that
you want to use to extract
the data for obfuscation
<captureGroup> The capture group that is
associated with the regular
expression
1
<deviceTypeId> Identifies the Log Source sensordeviceType
type.

Identifies the event and

extract the data to be
obfuscated.
1
<deviceId> Identifies the Log Source. sensordevice

Identifies the event and

extract the data to be
obfuscated.
1
<qidId> Identifies the Event name. qidmap

Identifies the event and

extract the data to obfuscate.
1
<category> Identifies the low-level Type
Category of the Event.

Identifies the event and

extract the data to be
obfuscated.
<enabled> If true, enables the regular
expression. If false, disables
the regular expression.
1
You can configure a value of -1 to disable this attribute.

Chapter 12. Data obfuscation 139

Examples of data obfuscation
1. The following code shows an example of event payload.
LEEF:1.0|VMware|EMC VMWare|5.1 Tue Oct 09 12:39:31 EDT
2012|jobEnable| usrName=john.smith [email protected]
src=1.1.1.1
2. The following code shows an example of an obfuscation_expressions.xml file.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ObfuscationExpressions>
<expression name="VMwareUsers">
<regex>user (\S+)</regex>
<deviceTypeId>-1</deviceTypeId>
<deviceId>-1</deviceId>
<qidId>-1</qidId>
<category>-1</category>
<enabled>true</enabled>
</expression>

<expression name="VMwarehosts">
<regex>ruser=(\S+)</regex>
<deviceTypeId>-1</deviceTypeId>
<deviceId>-1</deviceId>
<qidId>-1</qidId>
<category>-1</category>
<enabled>false</enabled>
</expression>
</ObfuscationExpressions>
3. The following example shows the regular expressions that can parse user
names.
Table 56. Example regex patterns that can parse user names.
Example regex patterns Matches

usrName=([0-9a-zA-Z]([-.\w][0-9a-zA-Z])@([0-9 [email protected], [email protected],

a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,20})$ [email protected]

usrName=(^([\w]+[^\W])([^\W]\.?)([\w]+[^\W]$)) john.smith, John.Smith, john,

jon_smith

usrName=^([a-zA-Z])[a-zA-Z_-][\w_-][\S]$|^([a johnsmith, Johnsmith123,

-zA-Z])[0-9_-]*[\S]$|^[a-zA-Z]*[\S]$ john_smith123, john123_smith,
john-smith

usrName=(/S+) Matches any non-white space after the

equal, =, sign. This greedy regular
expression can lead to system
performance issues.

msg=([0-9a-zA-Z]([-.\w][0-9a-zA-Z]))@\b(([01] Matches users with IP address.

?\d?\d|2[0-4]\d|25[0-5])\.){3}([01]?\d?\d|2[0-4 Example: [email protected]
]\d|25[0-5])\b

src=\b(([01]?\d?\d|2[0-4]\d|25[0-5])\.){3}([01] Matches IP address formats.

?\d?\d|2[0-4]\d|25[0-5])\b

host=^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a hostname.ibm.com, hostname.co.uk,

-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-
9\-]*[A-Za-z0-9])$

Decrypting obfuscated data

When data obfuscation is configured on an IBM Security QRadar SIEM system, the
encrypted version of the data is displayed in the columns and parameters on the
user interface. Use the obfuscation_decoder.sh script to decrypt obfuscated data.

140 QRadar Log Manager Administration Guide

Procedure
1. Log in to the IBM Security QRadar SIEM user interface and copy the
obfuscated text that you want to decrypt
2. Using SSH, log in to your QRadar Console as the root user.
User name: root
3. Create a directory and copy the public and private keys to this directory.
4. Go to the directory where the keys are located.
5. To decrypt the obfuscated text, type the following command:
obfuscation_decoder.sh -k publickey filename -p privatekey filename -d
<obfuscated_text>
The following table describes the obfuscation_decoder.sh options.
Table 57. Options for the obfuscation_decoder.sh script
Option Description
-k publickey filename The public key file name
-p privatekey filename The private key file name
-d obfuscated text The obfuscated text that you want to
decrypt

Example: The following command decrypts the masked data.

obfuscation_decoder.sh -k public_key.der -p private_key.pem -d

obfuscated_text

Chapter 12. Data obfuscation 141

142 QRadar Log Manager Administration Guide
Chapter 13. Audit logs
Changes that are made by QRadar users are recorded in the audit logs.

You can view the audit logs to monitor changes to QRadar and the users who
change settings.

All audit logs are stored in plain text and are archived and compressed when the
audit log file reaches 200 MB. The current log file is named audit.log. When the
file reaches 200 MB, the file is compressed and renamed to audit.1.gz,
audit.2.gz. The file number increments each time that a log file is archived.
QRadar stores up to 50 archived log files.

Viewing the audit log file

Use Secure Shell (SSH) to log in to your QRadar system and monitor changes to
your system.

About this task

You can use Log Activity tab to view normalized audit log events.

The maximum size of any audit message, excluding date, time, and host name, is
1024 characters.

Each entry in the log file displays by using the following format:

<date_time> <host name> <user>@<IP address> (thread ID) [<category>]

[<sub-category>] [<action>] <payload>

The following table describes the log file format options.

Table 58. Description of the parts of the log file format
File format part Description
date_time The date and time of the activity in the
format: Month Date HH:MM:SS
host name The host name of the Console where this
activity was logged.
user The name of the user who changed the
settings.
IP address The IP address of the user who changed the
settings.
thread ID) The identifier of the Java thread that logged
this activity.
category The high-level category of this activity.
sub-categor The low-level category of this activity.
action The activity that occurred.
payload The complete record, which might include
the user record or event rule, that changed.

Procedure
1. Using SSH, log in to QRadar as the root user:
2. User Name: root
3. Password: password
4. Go to the following directory:
/var/log/audit
5. Open and view the audit log file.

Logged actions
Understand the content of QRadar audit log file int the /var/log/auditdirectory.
The audit log file contains logged actions.

The following list describes the categories of actions that are in the audit log file:
Administrator Authentication
v Log in to the Administration Console
v Log out of the Administration Console.
Assets
v Delete an asset.
v Delete all assets.
Audit Log Access
A search that includes events that have a high-level event category of
Audit.
Backup and Recovery
v Edit the configuration.
v Initiate the backup.
v Complete the backup.
v Fail the backup.
v Delete the backup.
v Synchronize the backup.
v Cancel the backup.
v Initiate the restore.
v Upload a backup.
v Upload an invalid backup.
v Initiate the restore.
v Purge the backup.
Custom Properties
v Add a custom event property.
v Edit a custom event property.
v Delete a custom event property.
Chart Configuration
Save flow or event chart configuration.
Custom Property Expressions
v Add a custom event property expression.
v Edit a custom event property expression.

144 QRadar Log Manager Administration Guide

v Delete a custom event property expression.
Retention Buckets
v Add a bucket.
v Delete a bucket.
v Edit a bucket.
v Enable or disable a bucket.
Groups
v Add a group.
v Delete a group.
v Edit a group.
High Availability
v Add a license key.
v Revert a license.
v Delete a license key.
Log Source Extension
v Add an log source extension.
v Edit the log source extension.
v Delete a log source extension.
v Upload a log source extension.
v Upload a log source extension successfully.
v Upload an invalid log source extension.
v Download a log source extension.
v Report a log source extension.
v Modify a log sources association to a device or device type.
Protocol Configuration
v Add a protocol configuration.
v Delete a protocol configuration.
v Edit a protocol configuration.
QIDmap
v Add a QID map entry.
v Edit a QID map entry.
QRadar Vulnerability Manager
v Create a scanner schedule.
v Update a scanner schedule.
v Delete a scanner schedule.
v Start a scanner schedule.
v Pause a scanner schedule.
v Resume a scanner schedule.
Reference Sets
v Create a reference set.
v Edit a reference set.
v Purge elements in a reference set.
v Delete a reference set.

Chapter 13. Audit logs 145

v Add reference set elements.
v Delete reference set elements.
v Delete all reference set elements.
v Import reference set elements.
v Export reference set elements.
Reports
v Add a template.
v Delete a template.
v Edit a template.
v Generate a report.
v Delete a report.
v Delete generated content.
v View a generated report.
v Email a generated report.
Root Login
v Log in to QRadar, as root.
v Log out of QRadar, as root.
Rules
v Add a rule.
v Delete a rule.
v Edit a rule.
Scanner Schedule
v Add a schedule.
v Edit a schedule.
v Delete a schedule.
Session Authentication
v Create an administration session.
v Terminate an administration session.
v Deny an invalid authentication session.
v Expire a session authentication.
v Create an authentication session.
v Terminate an authentication session
Store and Forward
v Add a Store and Forward schedule.
v Edit a Store and Forward schedule.
v Delete a Store and Forward schedule.
Syslog Forwarding
v Add a syslog forwarding.
v Delete a syslog forwarding.
v Edit a syslog forwarding.
System Management
v Shut down a system.
v Restart a system.

146 QRadar Log Manager Administration Guide

User Accounts
v Add an account.
v Edit an account.
v Delete an account.
User Authentication
v Log in to the user interface.
v Log out of the user interface.
User Authentication Ariel
v Deny a login attempt.
v Add an Ariel property.
v Delete an Ariel property.
v Edit an Ariel property.
v Add an Ariel property extension.
v Delete an Ariel property extension.
v Edit an Ariel property extension.
User Roles
v Add a role.
v Edit a role.
v Delete a role.

Chapter 13. Audit logs 147

148 QRadar Log Manager Administration Guide
Chapter 14. Event categories
Event categories are used to group incoming events for processing by IBM Security
QRadar. The event categories are searchable and help you monitor your network.

Events that occur on your network are aggregated into high-level and low-level
categories. Each high-level category contains low-level categories and an associated
severity level. You can review the severity levels that are assigned to events and
adjust them to suit your corporate policy needs.

High-level event categories

Events in QRadar log sources are grouped into high-level categories. Each event is
assigned to a specific high-level category.

Categorizing the incoming events ensures that you can easily search the data..

The following table describes the high-level event categories.

Table 59. High-level event categories
Category Description
“Recon” on page 150 Events that are related to scanning and other
techniques that are used to identify network
resources, for example, network or host port
scans.
“DoS” on page 151 Events that are related to denial-of-service
(DoS) or distributed denial-of-service (DDoS)
attacks against services or hosts, for
example, brute force network DoS attacks.
“Authentication” on page 154 Events that are related to authentication
controls, group, or privilege change, for
example, log in or log out.
“Access” on page 160 Events resulting from an attempt to access
network resources, for example, firewall
accept or deny.
“Exploit” on page 162 Events that are related to application
exploits and buffer overflow attempts, for
example, buffer overflow or web application
exploits.
“Malware” on page 164 Events that are related to viruses, trojans,
back door attacks, or other forms of hostile
software. Malware events might include a
virus, trojan, malicious software, or spyware.
“Suspicious Activity” on page 165 The nature of the threat is unknown but
behavior is suspicious. The threat might
include protocol anomalies that potentially
indicate evasive techniques, for example,
packet fragmentation or known intrusion
detection system (IDS) evasion techniques.
“System” on page 168 Events that are related to system changes,
software installation, or status messages.

Table 59. High-level event categories (continued)
Category Description
“Policy” on page 172 Events regarding corporate policy violations
or misuse.
“Unknown” on page 173 Events that are related to unknown activity
on your system.
“CRE” on page 174 Events that are generated from an event
rule.
“Potential Exploit” on page 174 Events relate to potential application exploits
and buffer overflow attempts.
“User Defined” on page 175 Events that are related to user-defined
objects.
“SIM Audit” on page 178 Events that are related to user interaction
with the Console and administrative
functions.
“Application” on page 178 Events that are related to application
activity.
“Audit” on page 198 Events that are related to audit activity.
“Control” on page 199 Events that are related to your hardware
system.
“Asset Profiler” on page 201 Events that are related to asset profiles.

Recon
The Recon category contains events that are related to scanning and other
techniques that are used to identify network resources.

The following table describes the low-level event categories and associated severity
levels for the Recon category.
Table 60. Low-level categories and severity levels for the Recon events category
Low-level event category Description Severity level (0 - 10)
Unknown Form of Recon An unknown form of 2
reconnaissance.
Application Query Reconnaissance to 3
applications on your system.
Host Query Reconnaissance to a host in 3
your network.
Network Sweep Reconnaissance on your 4
network.
Mail Reconnaissance Reconnaissance on your mail 3
system.
Windows Reconnaissance Reconnaissance for Windows 3
operating system.
Portmap / RPC r\Request Reconnaissance on your 3
portmap or RPC request.
Host Port Scan Indicates that a scan 4
occurred on the host ports.

150 QRadar Log Manager Administration Guide

Table 60. Low-level categories and severity levels for the Recon events
category (continued)
Low-level event category Description Severity level (0 - 10)
RPC Dump Indicates that Remote 3
Procedure Call (RPC)
information is removed.
DNS Reconnaissance Reconnaissance on the DNS 3
server.
Misc Reconnaissance Event Miscellaneous reconnaissance 2
event.
Web Reconnaissance Web reconnaissance on your 3
network.
Database Reconnaissance Database reconnaissance on 3
your network.
ICMP Reconnaissance Reconnaissance on ICMP 3
traffic.
UDP Reconnaissance Reconnaissance on UDP 3
traffic.
SNMP Reconnaissance Reconnaissance on SNMP 3
traffic.
ICMP Host Query Indicates an ICMP host 3
query.
UDP Host Query Indicates a UDP host query. 3
NMAP Reconnaissance Indicates NMAP 3
reconnaissance.
TCP Reconnaissance Indicates TCP reconnaissance 3
on your network.
UNIX Reconnaissance Reconnaissance on your 3
UNIX network.
FTP Reconnaissance Indicates FTP reconnaissance. 3

DoS
The DoS category contains events that are related to denial-of-service (DoS) attacks
against services or hosts.

The following table describes the low-level event categories and associated severity
levels for the DoS category.
Table 61. Low-level categories and severity levels for the DoS events category
Low-level event category Description Severity level (0 - 10)
Unknown DoS Attack Indicates an unknown DoS 8
attack.
ICMP DoS Indicates an ICMP DoS 9
attack.
TCP DoS Indicates a TCP DoS attack. 9
UDP DoS Indicates a UDP DoS attack. 9
DNS Service DoS Indicates a DNS service DoS 8
attack.

Chapter 14. Event categories 151

Table 61. Low-level categories and severity levels for the DoS events category (continued)
Low-level event category Description Severity level (0 - 10)
Web Service DoS Indicates a web service DoS 8
attack.
Mail Service DoS Indicates a mail server DoS 8
attack.
Distributed DoS Indicates a distributed DoS 9
attack.
Misc DoS Indicates a miscellaneous 8
DoS attack.
UNIX DoS Indicates a UNIX DoS attack. 8
Windows DoS Indicates a Windows DoS 8
attack.
Database DoS Indicates a database DoS 8
attack.
FTP DoS Indicates an FTP DoS attack. 8
Infrastructure DoS Indicates a DoS attack on the 8
infrastructure.
Telnet DoS Indicates a Telnet DoS attack. 8
Brute Force Login Indicates access to your 8
system through unauthorized
methods.
High Rate TCP DoS Indicates a high rate TCP 8
DoS attack.
High Rate UDP DoS Indicates a high rate UDP 8
DoS attack.
High Rate ICMP DoS Indicates a high rate ICMP 8
DoS attack.
High Rate DoS Indicates a high rate DoS 8
attack.
Medium Rate TCP DoS Indicates a medium rate TCP 8
attack.
Medium Rate UDP DoS Indicates a medium rate 8
UDP attack.
Medium Rate ICMP DoS Indicates a medium rate 8
ICMP attack.
Medium Rate DoS Indicates a medium rate DoS 8
attack.
Medium Rate DoS Indicates a medium rate DoS 8
attack.
Low Rate TCP DoS Indicates a low rate TCP DoS 8
attack.
Low Rate UDP DoS Indicates a low rate UDP 8
DoS attack.
Low Rate ICMP DoS Indicates a low rate ICMP 8
DoS attack.
Low Rate DoS Indicates a low rate DoS 8
attack.

152 QRadar Log Manager Administration Guide

Table 61. Low-level categories and severity levels for the DoS events category (continued)
Low-level event category Description Severity level (0 - 10)
Distributed High Rate TCP Indicates a distributed high 8
DoS rate TCP DoS attack.
Distributed High Rate UDP Indicates a distributed high 8
DoS rate UDP DoS attack.
Distributed High Rate ICMP Indicates a distributed high 8
DoS rate ICMP DoS attack.
Distributed High Rate DoS Indicates a distributed high 8
rate DoS attack.
Distributed Medium Rate Indicates a distributed 8
TCP DoS medium rate TCP DoS
attack.
Distributed Medium Rate Indicates a distributed 8
UDP DoS medium rate UDP DoS
attack.
Distributed Medium Rate Indicates a distributed 8
ICMP DoS medium rate ICMP DoS
attack.
Distributed Medium Rate Indicates a distributed 8
DoS medium rate DoS attack.
Distributed Low Rate TCP Indicates a distributed low 8
DoS rate TCP DoS attack.
Distributed Low Rate UDP Indicates a distributed low 8
DoS rate UDP DoS attack.
Distributed Low Rate ICMP Indicates a distributed low 8
DoS rate ICMP DoS attack.
Distributed Low Rate DoS Indicates a distributed low 8
rate DoS attack.
High Rate TCP Scan Indicates a high rate TCP 8
scan.
High Rate UDP Scan Indicates a high rate UDP 8
scan.
High Rate ICMP Scan Indicates a high rate ICMP 8
scan.
High Rate Scan Indicates a high rate scan. 8
Medium Rate TCP Scan Indicates a medium rate TCP 8
scan.
Medium Rate UDP Scan Indicates a medium rate 8
UDP scan.
Medium Rate ICMP Scan Indicates a medium rate 8
ICMP scan.
Medium Rate Scan Indicates a medium rate 8
scan.
Low Rate TCP Scan Indicates a low rate TCP 8
scan.
Low Rate UDP Scan Indicates a low rate UDP 8
scan.
Low Rate ICMP Scan Indicates a low rate ICMP 8
scan.

Chapter 14. Event categories 153

Table 61. Low-level categories and severity levels for the DoS events category (continued)
Low-level event category Description Severity level (0 - 10)
Low Rate Scan Indicates a low rate scan. 8
VoIP DoS Indicates a VoIP DoS attack. 8
Flood Indicates a Flood attack. 8
TCP Flood Indicates a TCP flood attack. 8
UDP Flood Indicates a UDP flood attack. 8
ICMP Flood Indicates an ICMP flood 8
attack.
SYN Flood Indicates a SYN flood attack. 8
URG Flood Indicates a flood attack with 8
the urgent (URG) flag on.
SYN URG Flood Indicates a SYN flood attack 8
with the urgent (URG) flag
on.
SYN FIN Flood Indicates a SYN FIN flood 8
attack.
SYN ACK Flood Indicates a SYN ACK flood 8
attack.

Authentication
The authentication category contains events that are related to authentication,
sessions, and access controls that monitor users on the network.

The following table describes the low-level event categories and associated severity
levels for the authentication category.
Table 62. Low-level categories and severity levels for the authentication events category
Low-level event category Description Severity level (0 - 10)
Unknown Authentication Indicates unknown 1
authentication.
Host Login Succeeded Indicates a successful host 1
login.
Host Login Failed Indicates that the host login 3
failed.
Misc Login Succeeded Indicates that the login 1
sequence succeeded.
Misc Login Failed Indicates that login sequence 3
failed.
Privilege Escalation Failed Indicates that the privileged 3
escalation failed.
Privilege Escalation Indicates that the privilege 1
Succeeded escalation succeeded.
Mail Service Login Indicates that the mail 1
Succeeded service login succeeded.
Mail Service Login Failed Indicates that the mail 3
service login failed.

154 QRadar Log Manager Administration Guide

Table 62. Low-level categories and severity levels for the authentication events
category (continued)
Low-level event category Description Severity level (0 - 10)
Auth Server Login Failed Indicates that the 3
authentication server login
failed.
Auth Server Login Indicates that the 1
Succeeded authentication server login
succeeded.
Web Service Login Indicates that the web 1
Succeeded service login succeeded.
Web Service Login Failed Indicates that the web 3
service login failed.
Admin Login Successful Indicates that an 1
administrative login was
successful.
Admin Login Failure Indicates the administrative 3
login failed.
Suspicious Username Indicates that a user 4
attempted to access the
network by using an
incorrect user name.
Login with username/ Indicates that a user accessed 4
password defaults successful the network by using the
default user name and
password.
Login with username/ Indicates that a user was 4
password defaults failed unsuccessful accessing the
network by using the default
user name and password.
FTP Login Succeeded Indicates that the FTP login 1
was successful.
FTP Login Failed Indicates that the FTP login 3
failed.
SSH Login Succeeded Indicates that the SSH login 1
was successful.
SSH Login Failed Indicates that the SSH login 2
failed.
User Right Assigned Indicates that user access to 1
network resources was
successfully granted.
User Right Removed Indicates that user access to 1
network resources was
successfully removed.
Trusted Domain Added Indicates that a trusted 1
domain was successfully
added to your deployment.
Trusted Domain Removed Indicates that a trusted 1
domain was removed from
your deployment.

Chapter 14. Event categories 155

Table 62. Low-level categories and severity levels for the authentication events
category (continued)
Low-level event category Description Severity level (0 - 10)
System Security Access Indicates that system security 1
Granted access was successfully
granted.
System Security Access Indicates that system security 1
Removed access was successfully
removed.
Policy Added Indicates that a policy was 1
successfully added.
Policy Change Indicates that a policy was 1
successfully changed.
User Account Added Indicates that a user account 1
was successfully added.
User Account Changed Indicates a change to an 1
existing user account.
Password Change Failed Indicates that an attempt to 3
change an existing password
failed.
Password Change Succeeded Indicates that a password 1
change was successful.
User Account Removed Indicates that a user account 1
was successfully removed.
Group Member Added Indicates that a group 1
member was successfully
added.
Group Member Removed Indicates that a group 1
member was removed.
Group Added Indicates that a group was 1
successfully added.
Group Changed Indicates a change to an 1
existing group.
Group Removed Indicates that a group was 1
removed.
Computer Account Added Indicates that a computer 1
account was successfully
added.
Computer Account Changed Indicates a change to an 1
existing computer account.
Computer Account Removed Indicates that a computer 1
account was successfully
removed.
Remote Access Login Indicates that access to the 1
Succeeded network by using a remote
login was successful.
Remote Access Login Failed Indicates that an attempt to 3
access the network byusing a
remote login failed.

156 QRadar Log Manager Administration Guide

Table 62. Low-level categories and severity levels for the authentication events
category (continued)
Low-level event category Description Severity level (0 - 10)
General Authentication Indicates that the 1
Successful authentication processes was
successful.
General Authentication Indicates that the 3
Failed authentication process failed.
Telnet Login Succeeded Indicates that the telnet login 1
was successful.
Telnet Login Failed Indicates that the telnet login 3
failed.
Suspicious Password Indicates that a user 4
attempted to log in by using
a suspicious password.
Samba Login Successful Indicates that a user 1
successfully logged in by
using Samba.
Samba Login Failed Indicates a user failed to log 3
in by using Samba.
Auth Server Session Opened Indicates that a 1
communication session with
the authentication server was
started.
Auth Server Session Closed Indicates that a 1
communication session with
the authentication server was
closed.
Firewall Session Closed Indicates that a firewall 1
session was closed.
Host Logout Indicates that a host 1
successfully logged out.
Misc Logout Indicates that a user 1
successfully logged out.
Auth Server Logout Indicates that the process to 1
log out of the authentication
server was successful.
Web Service Logout Indicates that the process to 1
log out of the web service
was successful.
Admin Logout Indicates that the 1
administrative user
successfully logged out.
FTP Logout Indicates that the process to 1
log out of the FTP service
was successful.
SSH Logout Indicates that the process to 1
log out of the SSH session
was successful.
Remote Access Logout Indicates that the process to 1
log out using remote access
was successful.

Chapter 14. Event categories 157

Table 62. Low-level categories and severity levels for the authentication events
category (continued)
Low-level event category Description Severity level (0 - 10)
Telnet Logout Indicates that the process to 1
log out of the Telnet session
was successful.
Samba Logout Indicates that the process to 1
log out of Samba was
successful.
SSH Session Started Indicates that the SSH login 1
session was initiated on a
host.
SSH Session Finished Indicates the termination of 1
an SSH login session on a
host.
Admin Session Started Indicates that a login session 1
was initiated on a host by an
administrative or privileged
user.
Admin Session Finished Indicates the termination of 1
an administrator or
privileged users login session
on a host.
VoIP Login Succeeded Indicates a successful VoIP 1
service login
VoIP Login Failed Indicates an unsuccessful 1
attempt to access VoIP
service.
VoIP Logout Indicates a user logout, 1
VoIP Session Initiated Indicates the beginning of a 1
VoIP session.
VoIP Session Terminated Indicates the end of a VoIP 1
session.
Database Login Succeeded Indicates a successful 1
database login.
Database Login Failure Indicates a database login 3
attempt failed.
IKE Authentication Failed Indicates a failed Internet 3
Key Exchange (IKE)
authentication was detected.
IKE Authentication Indicates that a successful 1
Succeeded IKE authentication was
detected.
IKE Session Started Indicates that an IKE session 1
started.
IKE Session Ended Indicates that an IKE session 1
ended.
IKE Error Indicates an IKE error 1
message.
IKE Status Indicates IKE status message. 1

158 QRadar Log Manager Administration Guide

Table 62. Low-level categories and severity levels for the authentication events
category (continued)
Low-level event category Description Severity level (0 - 10)
RADIUS Session Started Indicates that a RADIUS 1
session started.
RADIUS Session Ended Indicates a RADIUS session 1
ended.
RADIUS Session Denied Indicates that a RADIUS 1
session was denied.
RADIUS Session Status Indicates a RADIUS session 1
status message.
RADIUS Authentication Indicates a RADIUS 3
Failed authentication failure.
RADIUS Authentication Indicates a RADIUS 1
Successful authentication succeeded.
TACACS Session Started Indicates a TACACS session 1
started.
TACACS Session Ended Indicates a TACACS session 1
ended.
TACACS Session Denied Indicates that a TACACS 1
session was denied.
TACACS Session Status Indicates a TACACS session 1
status message.
TACACS Authentication Indicates a TACACS 1
Successful authentication succeeded.
TACACS Authentication Indicates a TACACS 1
Failed authentication failure.
Deauthenticating Host Indicates that the 1
Succeeded deauthentication of a host
was successful.
Deauthenticating Host Failed Indicates that the 3
deauthentication of a host
failed.
Station Authentication Indicates that the station 1
Succeeded authentication was
successful.
Station Authentication Failed Indicates that the station 3
authentication of a host
failed.
Station Association Indicates that the station 1
Succeeded association was successful.
Station Association Failed Indicates that the station 3
association failed.
Station Reassociation Indicates that the station 1
Succeeded reassociation was successful.
Station Reassociation Failed Indicates that the station 3
association failed.
Disassociating Host Indicates that the 1
Succeeded disassociating a host was
successful.

Chapter 14. Event categories 159

Table 62. Low-level categories and severity levels for the authentication events
category (continued)
Low-level event category Description Severity level (0 - 10)
Disassociating Host Failed Indicates that the 3
disassociating a host failed.
SA Error Indicates a Security 5
Association (SA) error
message.
SA Creation Failure Indicates a Security 3
Association (SA) creation
failure.
SA Established Indicates that a Security 1
Association (SA) connection
established.
SA Rejected Indicates that a Security 3
Association (SA) connection
rejected.
Deleting SA Indicates the deletion of a 1
Security Association (SA).
Creating SA Indicates the creation of a 1
Security Association (SA).
Certificate Mismatch Indicates a certificate 3
mismatch.
Credentials Mismatch Indicates a credentials 3
mismatch.
Admin Login Attempt Indicates an admin login 2
attempt.
User Login Attempt Indicates a user login 2
attempt.
User Login Successful Indicates a successful user 1
login.
User Login Failure Indicates a failed user login. 3
SFTP Login Succeeded Indicates a successful SSH 1
File Transfer Protocol (SFTP)
login.
SFTP Login Failed Indicates a failed SSH File 3
Transfer Protocol (SFTP)
login.
SFTP Logout Indicates an SSH File 1
Transfer Protocol (SFTP)
logout.

Access
The access category contains authentication and access controls that are used for
monitoring network events.

The following table describes the low-level event categories and associated severity
levels for the access category.

160 QRadar Log Manager Administration Guide

Table 63. Low-level categories and severity levels for the access events category
Low-level event category Description Severity level (0 - 10)
Unknown Network Indicates an unknown 3
Communication Event network communication
event.
Firewall Permit Indicates that access to the 0
firewall was allowed.
Firewall Deny Indicates that access to the 4
firewall was denied.
Flow Context Response Indicates events from the 5
Classification Engine in
response to a SIM request.
Misc Network Indicates a miscellaneous 3
Communication Event communications event.
IPS Deny Indicates Intrusion 4
Prevention Systems (IPS)
denied traffic.
Firewall Session Opened Indicates that the firewall 0
session was opened.
Firewall Session Closed Indicates that the firewall 0
session was closed.
Dynamic Address Translation Indicates that dynamic 0
Successful address translation was
successful.
No Translation Group Found Indicates that no translation 2
group was found.
Misc Authorization Indicates that access was 2
granted to a miscellaneous
authentication server.
ACL Permit Indicates that an Access 0
Control List (ACL) allowed
access.
ACL Deny Indicates that an Access 4
Control List (ACL) denied
access.
Access Permitted Indicates that access was 0
allowed.
Access Denied Indicates that access was 4
denied.
Session Opened Indicates that a session was 1
opened.
Session Closed Indicates that a session was 1
closed.
Session Reset Indicates that a session was 3
reset.
Session Terminated Indicates that a session was 4
allowed.
Session Denied Indicates that a session was 5
denied.

Chapter 14. Event categories 161

Table 63. Low-level categories and severity levels for the access events
category (continued)
Low-level event category Description Severity level (0 - 10)
Session in Progress Indicates that a session is in 1
progress.
Session Delayed Indicates that a session was 3
delayed.
Session Queued Indicates that a session was 1
queued.
Session Inbound Indicates that a session is 1
inbound.
Session Outbound Indicates that a session is 1
outbound.
Unauthorized Access Indicates that an 6
Attempt unauthorized access attempt
was detected.
Misc Application Action Indicates that an application 1
Allowed action was allowed.
Misc Application Action Indicates that an application 3
Denied action was denied.
Database Action Allowed Indicates that a database 1
action was allowed.
Database Action Denied Indicates that a database 3
action was denied.
FTP Action Allowed Indicates that an FTP action 1
was allowed.
FTP Action Denied Indicates that an FTP action 3
was denied.
Object Cached Indicates that an object was 1
cached.
Object Not Cached Indicates that an object was 1
not cached.
Rate Limiting Indicates that the network 4
rate-limits traffic.
No Rate Limiting Indicates that the network 0
does not rate-limit traffic.

Exploit
The exploit category contains events where a communication or an access exploit
occurred.

The following table describes the low-level event categories and associated severity
levels for the exploit category.
Table 64. Low-level categories and severity levels for the exploit events category
Low-level event category Description Severity level (0 - 10)
Unknown Exploit Attack Indicates an unknown 9
exploit attack.
Buffer Overflow Indicates a buffer overflow. 9

162 QRadar Log Manager Administration Guide

Table 64. Low-level categories and severity levels for the exploit events
category (continued)
Low-level event category Description Severity level (0 - 10)
DNS Exploit Indicates a DNS exploit. 9
Telnet Exploit Indicates a Telnet exploit. 9
Linux Exploit Indicates a Linux exploit. 9
UNIX Exploit Indicates a UNIX exploit. 9
Windows Exploit Indicates a Microsoft 9
Windows exploit.
Mail Exploit Indicates a mail server 9
exploit.
Infrastructure Exploit Indicates an infrastructure 9
exploit.
Misc Exploit Indicates a miscellaneous 9
exploit.
Web Exploit Indicates a web exploit. 9
Session Hijack Indicates that a session in 9
your network was
interceded.
Worm Active Indicates an active worm. 10
Password Guess/Retrieve Indicates that a user 9
requested access to their
password information from
the database.
FTP Exploit Indicates an FTP exploit. 9
RPC Exploit Indicates an RPC exploit. 9
SNMP Exploit Indicates an SNMP exploit. 9
NOOP Exploit Indicates an NOOP exploit. 9
Samba Exploit Indicates a Samba exploit. 9
Database Exploit Indicates a database exploit. 9
SSH Exploit Indicates an SSH exploit. 9
ICMP Exploit Indicates an ICMP exploit. 9
UDP Exploit Indicates a UDP exploit. 9
Browser Exploit Indicates an exploit on your 9
browser.
DHCP Exploit Indicates a DHCP exploit 9
Remote Access Exploit Indicates a remote access 9
exploit
ActiveX Exploit Indicates an exploit through 9
an ActiveX application.
SQL Injection Indicates that an SQL 9
injection occurred.
Cross-Site Scripting Indicates a cross-site 9
scripting vulnerability.
Format String Vulnerability Indicates a format string 9
vulnerability.

Chapter 14. Event categories 163

Table 64. Low-level categories and severity levels for the exploit events
category (continued)
Low-level event category Description Severity level (0 - 10)
Input Validation Exploit Indicates that an input 9
validation exploit attempt
was detected.
Remote Code Execution Indicates that a remote code 9
execution attempt was
detected.
Memory Corruption Indicates that a memory 9
corruption exploit was
detected.
Command Execution Indicates that a remote 9
command execution attempt
was detected.

Malware
The malicious software (malware) category contains events that are related to
application exploits and buffer overflow attempts.

The following table describes the low-level event categories and associated severity
levels for the malware category.
Table 65. Low-level categories and severity levels for the malware events category
Low-level event category Description Severity level (0 - 10)
Unknown Malware Indicates an unknown virus. 4
Backdoor Detected Indicates that a back door to 9
the system was detected.
Hostile Mail Attachment Indicates a hostile mail 6
attachment.
Malicious Software Indicates a virus. 6
Hostile Software Download Indicates a hostile software 6
download to your network.
Virus Detected Indicates that a virus was 8
detected.
Misc Malware Indicates miscellaneous 4
malicious software
Trojan Detected Indicates that a trojan was 7
detected.
Spyware Detected Indicates that spyware was 6
detected on your system.
Content Scan Indicates that an attempted 3
scan of your content was
detected.
Content Scan Failed Indicates that a scan of your 8
content failed.
Content Scan Successful Indicates that a scan of your 3
content was successful.

164 QRadar Log Manager Administration Guide

Table 65. Low-level categories and severity levels for the malware events
category (continued)
Low-level event category Description Severity level (0 - 10)
Content Scan in Progress Indicates that a scan of your 3
content is in progress.
Keylogger Indicates that a key logger 7
was detected.
Adware Detected Indicates that Ad-Ware was 4
detected.
Quarantine Successful Indicates that a quarantine 3
action successfully
completed.
Quarantine Failed Indicates that a quarantine 8
action failed.

Suspicious Activity
The suspicious category contains events that are related to viruses, trojans, back
door attacks, and other forms of hostile software.

The following table describes the low-level event categories and associated severity
levels for the suspicious activity category.
Table 66. Low-level categories and severity levels for the suspicious activity events category
Low-level event category Description Severity level (0 - 10)
Unknown Suspicious Event Indicates an unknown 3
suspicious event.
Suspicious Pattern Detected Indicates that a suspicious 3
pattern was detected.
Content Modified By Indicates that content was 3
Firewall modified by the firewall.
Invalid Command or Data Indicates an invalid 3
command or data.
Suspicious Packet Indicates a suspicious packet. 3
Suspicious Activity Indicates suspicious activity. 3
Suspicious File Name Indicates a suspicious file 3
name.
Suspicious Port Activity Indicates suspicious port 3
activity.
Suspicious Routing Indicates suspicious routing. 3
Potential Web Vulnerability Indicates potential web 3
vulnerability.
Unknown Evasion Event Indicates an unknown 5
evasion event.
IP Spoof Indicates an IP spoof. 5
IP Fragmentation Indicates IP fragmentation. 3
Overlapping IP Fragments Indicates overlapping IP 5
fragments.
IDS Evasion Indicates an IDS evasion. 5

Chapter 14. Event categories 165

Table 66. Low-level categories and severity levels for the suspicious activity events
category (continued)
Low-level event category Description Severity level (0 - 10)
DNS Protocol Anomaly Indicates a DNS protocol 3
anomaly.
FTP Protocol Anomaly Indicates an FTP protocol 3
anomaly.
Mail Protocol Anomaly Indicates a mail protocol 3
anomaly.
Routing Protocol Anomaly Indicates a routing protocol 3
anomaly.
Web Protocol Anomaly Indicates a web protocol 3
anomaly.
SQL Protocol Anomaly Indicates an SQL protocol 3
anomaly.
Executable Code Detected Indicates that an executable 5
code was detected.
Misc Suspicious Event Indicates a miscellaneous 3
suspicious event.
Information Leak Indicates an information 1
leak.
Potential Mail Vulnerability Indicates a potential 4
vulnerability in the mail
server.
Potential Version Indicates a potential 4
Vulnerability vulnerability in the IBM
Security QRadar SIEM
version.
Potential FTP Vulnerability Indicates a potential FTP 4
vulnerability.
Potential SSH Vulnerability Indicates a potential SSH 4
vulnerability.
Potential DNS Vulnerability Indicates a potential 4
vulnerability in the DNS
server.
Potential SMB Vulnerability Indicates a potential SMB 4
(Samba) vulnerability.
Potential Database Indicates a potential 4
Vulnerability vulnerability in the database.
IP Protocol Anomaly Indicates a potential IP 3
protocol anomaly
Suspicious IP Address Indicates that a suspicious IP 2
address was detected.
Invalid IP Protocol Usage Indicates an invalid IP 2
protocol.
Invalid Protocol Indicates an invalid protocol. 4
Suspicious Window Events Indicates a suspicious event 2
with a screen on your
desktop.

166 QRadar Log Manager Administration Guide

Table 66. Low-level categories and severity levels for the suspicious activity events
category (continued)
Low-level event category Description Severity level (0 - 10)
Suspicious ICMP Activity Indicates suspicious ICMP 2
activity.
Potential NFS Vulnerability Indicates a potential network 4
file system (NFS)
vulnerability.
Potential NNTP Vulnerability Indicates a potential 4
Network News Transfer
Protocol (NNTP)
vulnerability.
Potential RPC Vulnerability Indicates a potential RPC 4
vulnerability.
Potential Telnet Vulnerability Indicates a potential Telnet 4
vulnerability on your system.
Potential SNMP Vulnerability Indicates a potential SNMP 4
vulnerability.
Illegal TCP Flag Combination Indicates that an invalid TCP 5
flag combination was
detected.
Suspicious TCP Flag Indicates that a potentially 4
Combination invalid TCP flag combination
was detected.
Illegal ICMP Protocol Usage Indicates that an invalid use 5
of the ICMP protocol was
detected.
Suspicious ICMP Protocol Indicates that a potentially 4
Usage invalid use of the ICMP
protocol was detected.
Illegal ICMP Type Indicates that an invalid 5
ICMP type was detected.
Illegal ICMP Code Indicates that an invalid 5
ICMP code was detected.
Suspicious ICMP Type Indicates that a potentially 4
invalid ICMP type was
detected.
Suspicious ICMP Code Indicates that a potentially 4
invalid ICMP code was
detected.
TCP port 0 Indicates a TCP packet uses 4
a reserved port (0) for source
or destination.
UDP port 0 Indicates a UDP packet uses 4
a reserved port (0) for source
or destination.
Hostile IP Indicates the use of a known 4
hostile IP address.
Watch list IP Indicates the use of an IP 4
address from a watch list of
IP addresses.

Chapter 14. Event categories 167

Table 66. Low-level categories and severity levels for the suspicious activity events
category (continued)
Low-level event category Description Severity level (0 - 10)
Known offender IP Indicates the use of an IP 4
address of a known offender.
RFC 1918 (private) IP Indicates the use of an IP 4
address from a private IP
address range.
Potential VoIP Vulnerability Indicates a potential VoIP 4
vulnerability.
Blacklist Address Indicates that an IP address 8
is on the black list.
Watchlist Address Indicates that the IP address 7
is on the list of IP addresses
being monitored.
Darknet Address Indicates that the IP address 5
is part of a darknet.
Botnet Address Indicates that the address is 7
part of a botnet.
Suspicious Address Indicates that the IP address 5
must be monitored.
Bad Content Indicates that bad content 7
was detected.
Invalid Cert Indicates that an invalid 7
certificate was detected.
User Activity Indicates that user activity 7
was detected.
Suspicious Protocol Usage Indicates that suspicious 5
protocol usage was detected.
Suspicious BGP Activity Indicates that suspicious 5
Border Gateway Protocol
(BGP) usage was detected.
Route Poisoning Indicates that route 5
corruption was detected.
ARP Poisoning Indicates that ARP-cache 5
poisoning was detected.
Rogue Device Detected Indicates that a rogue device 5
was detected.

System
The system category contains events that are related to system changes, software
installation, or status messages.

The following table describes the low-level event categories and associated severity
levels for the system category.

168 QRadar Log Manager Administration Guide

Table 67. Low-level categories and severity levels for the system events category
Low-level event category Description Severity level (0 - 10)
Unknown System Event Indicates an unknown 1
system event.
System Boot Indicates a system restart. 1
System Configuration Indicates a change in the 1
system configuration.
System Halt Indicates that the system was 1
halted.
System Failure Indicates a system failure. 6
System Status Indicates any information 1
event.
System Error Indicates a system error. 3
Misc System Event Indicates a miscellaneous 1
system event.
Service Started Indicates that system services 1
started.
Service Stopped Indicates that system services 1
stopped.
Service Failure Indicates a system failure. 6
Successful Registry Indicates that a modification 1
Modification to the registry was
successful.
Successful Host-Policy Indicates that a modification 1
Modification to the host policy was
successful.
Successful File Modification Indicates that a modification 1
to a file was successful.
Successful Stack Modification Indicates that a modification 1
to the stack was successful.
Successful Application Indicates that a modification 1
Modification to the application was
successful.
Successful Configuration Indicates that a modification 1
Modification to the configuration was
successful.
Successful Service Indicates that a modification 1
Modification to a service was successful.
Failed Registry Modification Indicates that a modification 1
to the registry failed.
Failed Host-Policy Indicates that a modification 1
Modification to the host policy failed.
Failed File Modification Indicates that a modification 1
to a file failed.
Failed Stack Modification Indicates that a modification 1
to the stack failed.
Failed Application Indicates that a modification 1
Modification to an application failed.

Chapter 14. Event categories 169

Table 67. Low-level categories and severity levels for the system events
category (continued)
Low-level event category Description Severity level (0 - 10)
Failed Configuration Indicates that a modification 1
Modification to the configuration failed.
Failed Service Modification Indicates that a modification 1
to the service failed.
Registry Addition Indicates that a new item 1
was added to the registry.
Host-Policy Created Indicates that a new entry 1
was added to the registry.
File Created Indicates that a new was 1
created in the system.
Application Installed Indicates that a new 1
application was installed on
the system.
Service Installed Indicates that a new service 1
was installed on the system.
Registry Deletion Indicates that a registry entry 1
was deleted.
Host-Policy Deleted Indicates that a host policy 1
entry was deleted.
File Deleted Indicates that a file was 1
deleted.
Application Uninstalled Indicates that an application 1
was uninstalled.
Service Uninstalled Indicates that a service was 1
uninstalled.
System Informational Indicates system information. 3
System Action Allow Indicates that an attempted 3
action on the system was
authorized.
System Action Deny Indicates that an attempted 4
action on the system was
denied.
Cron Indicates a crontab message. 1
Cron Status Indicates a crontab status 1
message.
Cron Failed Indicates a crontab failure 4
message.
Cron Successful Indicates a crontab success 1
message.
Daemon Indicates a daemon message. 1
Daemon Status Indicates a daemon status 1
message.
Daemon Failed Indicates a daemon failure 4
message.
Daemon Successful Indicates a daemon success 1
message.

170 QRadar Log Manager Administration Guide

Table 67. Low-level categories and severity levels for the system events
category (continued)
Low-level event category Description Severity level (0 - 10)
Kernel Indicates a kernel message. 1
Kernel Status Indicates a kernel status 1
message.
Kernel Failed Indicates a kernel failure
message.
Kernel Successful Indicates a kernel successful 1
message.
Authentication Indicates an authentication 1
message.
Information Indicates an informational 2
message.
Notice Indicates a notice message. 3
Warning Indicates a warning message. 5
Error Indicates an error message. 7
Critical Indicates a critical message. 9
Debug Indicates a debug message. 1
Messages Indicates a generic message. 1
Privilege Access Indicates that privilege 3
access was attempted.
Alert Indicates an alert message. 9
Emergency Indicates an emergency 9
message.
SNMP Status Indicates an SNMP status 1
message.
FTP Status Indicates an FTP status 1
message.
NTP Status Indicates an NTP status 1
message.
Access Point Radio Failure Indicates an access point 3
radio failure.
Encryption Protocol Indicates an encryption 3
Configuration Mismatch protocol configuration
mismatch.
Client Device or Indicates that a client device 5
Authentication Server or authentication server was
Misconfigured not configured properly.
Hot Standby Enable Failed Indicates a hot standby 5
enable failure.
Hot Standby Disable Failed Indicates a hot standby 5
disable failure.
Hot Standby Enabled Indicates that hot standby 1
Successfully was enabled successfully.
Hot Standby Association Indicates that a hot standby 5
Lost association was lost.

Chapter 14. Event categories 171

Table 67. Low-level categories and severity levels for the system events
category (continued)
Low-level event category Description Severity level (0 - 10)
MainMode Initiation Failure Indicates MainMode 5
initiation failure.
MainMode Initiation Indicates that the MainMode 1
Succeeded initiation was successful.
MainMode Status Indicates a MainMode status 1
message was reported.
QuickMode Initiation Failure Indicates that the 5
QuickMode initiation failed.
Quickmode Initiation Indicates that the 1
Succeeded QuickMode initiation was
successful.
Quickmode Status Indicates a QuickMode status 1
message was reported.
Invalid License Indicates an invalid license. 3
License Expired Indicates an expired license. 3
New License Applied Indicates a new license 1
applied.
License Error Indicates a license error. 5
License Status Indicates a license status 1
message.
Configuration Error Indicates that a configuration 5
error was detected.
Service Disruption Indicates that a service 5
disruption was detected.
License Exceeded Indicates that the license 3
capabilities were exceeded.
Performance Status Indicates that the 1
performance status was
reported.
Performance Degradation Indicates that the 4
performance is being
degraded.
Misconfiguration Indicates that an incorrect 5
configuration was detected.

Policy
The policy category contains events that are related to administration of network
policy and the monitoring network resources for policy violations.

The following table describes the low-level event categories and associated severity
levels for the policy category.
Table 68. Low-level categories and severity levels for the policy category
Low-level event category Description Severity level (0 - 10)
Unknown Policy Violation Indicates an unknown policy 2
violation.

172 QRadar Log Manager Administration Guide

Table 68. Low-level categories and severity levels for the policy category (continued)
Low-level event category Description Severity level (0 - 10)
Web Policy Violation Indicates a web policy 2
violation.
Remote Access Policy Indicates a remote access 2
Violation policy violation.
IRC/IM Policy Violation Indicates an instant 2
messenger policy violation.
P2P Policy Violation Indicates a Peer-to-Peer (P2P) 2
policy violation.
IP Access Policy Violation Indicates an IP access policy 2
violation.
Application Policy Violation Indicates an application 2
policy violation.
Database Policy Violation Indicates a database policy 2
violation.
Network Threshold Policy Indicates a network 2
Violation threshold policy violation.
Porn Policy Violation Indicates a porn policy 2
violation.
Games Policy Violation Indicates a games policy 2
violation.
Misc Policy Violation Indicates a miscellaneous 2
policy violation.
Compliance Policy Violation Indicates a compliance policy 2
violation.
Mail Policy Violation Indicates a mail policy 2
violation.
IRC Policy Violation Indicates an IRC policy 2
violation
IM Policy Violation Indicates a policy violation 2
that is related to instant
message (IM) activities.
VoIP Policy Violation Indicates a VoIP policy 2
violation
Succeeded Indicates a policy successful 1
message.
Failed Indicates a policy failure 4
message.

Unknown
The Unknown category contains events that are not parsed and therefore cannot be
categorized.

The following table describes the low-level event categories and associated severity
levels for the Unknown category.

Chapter 14. Event categories 173

Table 69. Low-level categories and severity levels for the Unknown category
Low-level event category Description Severity level (0 - 10)
Unknown Indicates an unknown event. 3
Unknown Snort Event Indicates an unknown Snort 3
event.
Unknown Dragon Event Indicates an unknown 3
Dragon event.
Unknown Pix Firewall Event Indicates an unknown Cisco 3
Private Internet Exchange
(PIX) Firewall event.
Unknown Tipping Point Indicates an unknown HP 3
Event TippingPoint event.
Unknown Windows Auth Indicates an unknown 3
Server Event Windows Auth Server event.
Unknown Nortel Event Indicates an unknown Nortel 3
event.
Stored Indicates an unknown stored 3
event.
Behavioral Indicates an unknown 3
behavioral event.
Threshold Indicates an unknown 3
threshold event.
Anomaly Indicates an unknown 3
anomaly event.

CRE
The custom rule event (CRE) category contains events that are generated from an
event rule.

The following table describes the low-level event categories and associated severity
levels for the CRE category.
Table 70. Low-level categories and severity levels for the CRE category
Low-level event category Description Severity level (0 - 10)
Unknown CRE Event Indicates an unknown 5
custom rules engine event.
Single Event Rule Match Indicates a single event rule 5
match.
Event Sequence Rule Match Indicates an event sequence 5
rule match.

Potential Exploit
The potential exploit category contains events that are related to potential
application exploits and buffer overflow attempts.

The following table describes the low-level event categories and associated severity
levels for the potential exploit category.

174 QRadar Log Manager Administration Guide

Table 71. Low-level categories and severity levels for the potential exploit category
Low-level event category Description Severity level (0 - 10)
Unknown Potential Exploit Indicates that a potential 7
Attack exploitative attack was
detected.
Potential Buffer Overflow Indicates that a potential 7
buffer overflow was
detected.
Potential DNS Exploit Indicates that a potentially 7
exploitative attack through
the DNS server was detected.
Potential Telnet Exploit Indicates that a potentially 7
exploitative attack through
Telnet was detected.
Potential Linux Exploit Indicates that a potentially 7
exploitative attack through
Linux was detected.
Potential UNIX Exploit Indicates that a potentially 7
exploitative attack through
UNIX was detected.
Potential Windows Exploit Indicates that a potentially 7
exploitative attack through
Windows was detected.
Potential Mail Exploit Indicates that a potentially 7
exploitative attack through
mail was detected.
Potential Infrastructure Indicates that a potential 7
Exploit exploitative attack on the
system infrastructure was
detected.
Potential Misc Exploit Indicates that a potentially 7
exploitative attack was
detected.
Potential Web Exploit Indicates that a potentially 7
exploitative attack through
the web was detected.
Potential Botnet Connection Indicates a potentially 6
exploitative attack that uses
botnet was detected.
Potential Worm Activity Indicates a potential attack 6
that uses worm activity was
detected.

User Defined
The User Defined category contains events that are related to user-defined objects

Chapter 14. Event categories 175

The following table describes the low-level event categories and associated severity
levels for the User Defined category.
Table 72. Low-level categories and severity levels for the User Defined category
Low-level event category Description Severity level (0 - 10)
Custom Sentry Low Indicates a low severity 3
custom anomaly event.
Custom Sentry Medium Indicates a medium severity 5
custom anomaly event.
Custom Sentry High Indicates a high severity 7
custom anomaly event.
Custom Sentry 1 Indicates a custom anomaly 1
event with a severity level of
1.
Custom Sentry 2 Indicates a custom anomaly 2
event with a severity level of
2.
Custom Sentry 3 Indicates a custom anomaly 3
event with a severity level of
3.
Custom Sentry 4 Indicates a custom anomaly 4
event with a severity level of
4.
Custom Sentry 5 Indicates a custom anomaly 5
event with a severity level of
5.
Custom Sentry 6 Indicates a custom anomaly 6
event with a severity level of
6.
Custom Sentry 7 Indicates a custom anomaly 7
event with a severity level of
7.
Custom Sentry 8 Indicates a custom anomaly 8
event with a severity level of
8.
Custom Sentry 9 Indicates a custom anomaly 9
event with a severity level of
9.
Custom Policy Low Indicates a custom policy 3
event with a low severity
level.
Custom Policy Medium Indicates a custom policy 5
event with a medium
severity level.
Custom Policy High Indicates a custom policy 7
event with a high severity
level.
Custom Policy 1 Indicates a custom policy 1
event with a severity level of
1.
Custom Policy 2 Indicates a custom policy 2
event with a severity level of
2.

176 QRadar Log Manager Administration Guide

Table 72. Low-level categories and severity levels for the User Defined category (continued)
Low-level event category Description Severity level (0 - 10)
Custom Policy 3 Indicates a custom policy 3
event with a severity level of
3.
Custom Policy 4 Indicates a custom policy 4
event with a severity level of
4.
Custom Policy 5 Indicates a custom policy 5
event with a severity level of
5.
Custom Policy 6 Indicates a custom policy 6
event with a severity level of
6.
Custom Policy 7 Indicates a custom policy 7
event with a severity level of
7.
Custom Policy 8 Indicates a custom policy 8
event with a severity level of
8.
Custom Policy 9 Indicates a custom policy 9
event with a severity level of
9.
Custom User Low Indicates a custom user 3
event with a low severity
level.
Custom User Medium Indicates a custom user 5
event with a medium
severity level.
Custom User High Indicates a custom user 7
event with a high severity
level.
Custom User 1 Indicates a custom user 1
event with a severity level of
1.
Custom User 2 Indicates a custom user 2
event with a severity level of
2.
Custom User 3 Indicates a custom user 3
event with a severity level of
3.
Custom User 4 Indicates a custom user 4
event with a severity level of
4.
Custom User 5 Indicates a custom user 5
event with a severity level of
5.
Custom User 6 Indicates a custom user 6
event with a severity level of
6.

SIM Audit
The SIM Audit category contains events that are related to user interaction with
the QRadar Console and administrative features.

The following table describes the low-level event categories and associated severity
levels for the SIM Audit category.
Table 73. Low-level categories and severity levels for the SIM Audit category
Low-level event category Description Severity level (0 - 10)
SIM User Authentication Indicates a user login or 5
logout on the Console.
SIM Configuration Change Indicates that a user changed 3
the SIM configuration or
deployment.
SIM User Action Indicates that a user initiated 3
a process, such as starting a
backup or generating a
report, in the SIM module.
Session Created Indicates that a user session 3
was created.
Session Destroyed Indicates that a user session 3
was destroyed.
Admin Session Created Indicates that an admin
session was created.
Admin Session Destroyed Indicates that an admin 3
session was destroyed.
Session Authentication Indicates an invalid session 5
Invalid authentication.
Session Authentication Indicates that a session 3
Expired authentication expired.
Risk Manager Configuration Indicates that a user changed 3
the IBM Security QRadar
Risk Managerconfiguration.

Application
The application category contains events that are related to application activity,
such as email or FTP activity.

178 QRadar Log Manager Administration Guide

The following table describes the low-level event categories and associated severity
levels for the application category.
Table 74. Low-level categories and severity levels for the application category
Low-level event category Description Severity level (0 - 10)
Mail Opened Indicates that an email 1
connection was established.
Mail Closed Indicates that an email 1
connection was closed.
Mail Reset Indicates that an email 3
connection was reset.
Mail Terminated Indicates that an email 4
connection was terminated.
Mail Denied Indicates that an email 4
connection was denied.
Mail in Progress Indicates that an email 1
connection is being
attempted.
Mail Delayed Indicates that an email 4
connection was delayed.
Mail Queued Indicates that an email 3
connection was queued.
Mail Redirected Indicates that an email 1
connection was redirected.
FTP Opened Indicates that an FTP 1
connection was opened.
FTP Closed Indicates that an FTP 1
connection was closed.
FTP Reset Indicates that an FTP 3
connection was reset.
FTP Terminated Indicates that an FTP 4
connection was terminated.
FTP Denied Indicates that an FTP 4
connection was denied.
FTP In Progress Indicates that an FTP 1
connection is in progress.
FTP Redirected Indicates that an FTP 3
connection was redirected.
HTTP Opened Indicates that an HTTP 1
connection was established.
HTTP Closed Indicates that an HTTP 1
connection was closed.
HTTP Reset Indicates that an HTTP 3
connection was reset.
HTTP Terminated Indicates that an HTTP 4
connection was terminated.
HTTP Denied Indicates that an HTTP 4
connection was denied.
HTTP In Progress Indicates that an HTTP 1
connection is in progress.

Chapter 14. Event categories 179

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
HTTP Delayed Indicates that an HTTP 3
connection was delayed.
HTTP Queued Indicates that an HTTP 1
connection was queued.
HTTP Redirected Indicates that an HTTP 1
connection was redirected.
HTTP Proxy Indicates that an HTTP 1
connection is being proxied.
HTTPS Opened Indicates that an HTTPS 1
connection was established.
HTTPS Closed Indicates that an HTTPS 1
connection was closed.
HTTPS Reset Indicates that an HTTPS 3
connection was reset.
HTTPS Terminated Indicates that an HTTPS 4
connection was terminated.
HTTPS Denied Indicates that an HTTPS 4
connection was denied.
HTTPS In Progress Indicates that an HTTPS 1
connection is in progress.
HTTPS Delayed Indicates that an HTTPS 3
connection was delayed.
HTTPS Queued Indicates that an HTTPS 3
connection was queued.
HTTPS Redirected Indicates that an HTTPS 3
connection was redirected.
HTTPS Proxy Indicates that an HTTPS 1
connection is proxied.
SSH Opened Indicates that an SSH 1
connection was established.
SSH Closed Indicates that an SSH 1
connection was closed.
SSH Reset Indicates that an SSH 3
connection was reset.
SSH Terminated Indicates that an SSH 4
connection was terminated.
SSH Denied Indicates that an SSH session 4
was denied.
SSH In Progress Indicates that an SSH session 1
is in progress.
RemoteAccess Opened Indicates that a remote access 1
connection was established.
RemoteAccess Closed Indicates that a remote access 1
connection was closed.
RemoteAccess Reset Indicates that a remote access 3
connection was reset.

180 QRadar Log Manager Administration Guide

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
RemoteAccess Terminated Indicates that a remote access 4
connection was terminated.
RemoteAccess Denied Indicates that a remote access 4
connection was denied.
RemoteAccess In Progress Indicates that a remote access 1
connection is in progress.
RemoteAccess Delayed Indicates that a remote access 3
connection was delayed.
RemoteAccess Redirected Indicates that a remote access 3
connection was redirected.
VPN Opened Indicates that a VPN 1
connection was opened.
VPN Closed Indicates that a VPN 1
connection was closed.
VPN Reset Indicates that a VPN 3
connection was reset.
VPN Terminated Indicates that a VPN 4
connection was terminated.
VPN Denied Indicates that a VPN 4
connection was denied.
VPN In Progress Indicates that a VPN 1
connection is in progress.
VPN Delayed Indicates that a VPN 3
connection was delayed
VPN Queued Indicates that a VPN 3
connection was queued.
VPN Redirected Indicates that a VPN 3
connection was redirected.
RDP Opened Indicates that an RDP 1
connection was established.
RDP Closed Indicates that an RDP 1
connection was closed.
RDP Reset Indicates that an RDP 3
connection was reset.
RDP Terminated Indicates that an RDP 4
connection was terminated.
RDP Denied Indicates that an RDP 4
connection was denied.
RDP In Progress Indicates that an RDP 1
connection is in progress.
RDP Redirected Indicates that an RDP 3
connection was redirected.
FileTransfer Opened Indicates that a file transfer 1
connection was established.
FileTransfer Closed Indicates that a file transfer 1
connection was closed.

Chapter 14. Event categories 181

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
FileTransfer Reset Indicates that a file transfer 3
connection was reset.
FileTransfer Terminated Indicates that a file transfer 4
connection was terminated.
FileTransfer Denied Indicates that a file transfer 4
connection was denied.
FileTransfer In Progress Indicates that a file transfer 1
connection is in progress.
FileTransfer Delayed Indicates that a file transfer 3
connection was delayed.
FileTransfer Queued Indicates that a file transfer 3
connection was queued.
FileTransfer Redirected Indicates that a file transfer 3
connection was redirected.
DNS Opened Indicates that a DNS 1
connection was established.
DNS Closed Indicates that a DNS 1
connection was closed.
DNS Reset Indicates that a DNS 5
connection was reset.
DNS Terminated Indicates that a DNS 5
connection was terminated.
DNS Denied Indicates that a DNS 5
connection was denied.
DNS In Progress Indicates that a DNS 1
connection is in progress.
DNS Delayed Indicates that a DNS 5
connection was delayed.
DNS Redirected Indicates that a DNS 4
connection was redirected.
Chat Opened Indicates that a chat 1
connection was opened.
Chat Closed Indicates that a chat 1
connection was closed.
Chat Reset Indicates that a chat 3
connection was reset.
Chat Terminated Indicates that a chat 3
connection was terminated.
Chat Denied Indicates that a chat 3
connection was denied.
Chat In Progress Indicates that a chat 1
connection is in progress.
Chat Redirected Indicates that a chat 1
connection was redirected.
Database Opened Indicates that a database 1
connection was established.

182 QRadar Log Manager Administration Guide

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
Database Closed Indicates that a database 1
connection was closed.
Database Reset Indicates that a database 5
connection was reset.
Database Terminated Indicates that a database 5
connection was terminated.
Database Denied Indicates that a database 5
connection was denied.
Database In Progress Indicates that a database 1
connection is in progress.
Database Redirected Indicates that a database 3
connection was redirected.
SMTP Opened Indicates that an SMTP 1
connection was established.
SMTP Closed Indicates that an SMTP 1
connection was closed.
SMTP Reset Indicates that an SMTP 3
connection was reset.
SMTP Terminated Indicates that an SMTP 5
connection was terminated.
SMTP Denied Indicates that an SMTP 5
connection was denied.
SMTP In Progress Indicates that an SMTP 1
connection is in progress.
SMTP Delayed Indicates that an SMTP 3
connection was delayed.
SMTP Queued Indicates that an SMTP 3
connection was queued.
SMTP Redirected Indicates that an SMTP 3
connection was redirected.
Auth Opened Indicates that an 1
authorization server
connection was established.
Auth Closed Indicates that an 1
authorization server
connection was closed.
Auth Reset Indicates that an 3
authorization server
connection was reset.
Auth Terminated Indicates that an 4
authorization server
connection was terminated.
Auth Denied Indicates that an 4
authorization server
connection was denied.
Auth In Progress Indicates that an 1
authorization server
connection is in progress.

184 QRadar Log Manager Administration Guide

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
VoIP Reset Indicates that a VoIP 3
connection was reset.
VoIP Terminated Indicates that a VoIP 3
connection was terminated.
VoIP Denied Indicates that a VoIP 3
connection was denied.
VoIP In Progress Indicates that a VoIP 1
connection is in progress.
VoIP Delayed Indicates that a VoIP 3
connection was delayed.
VoIP Redirected Indicates that a VoIP 3
connection was redirected.
LDAP Session Started Indicates an LDAP session 1
started.
LDAP Session Ended Indicates an LDAP session 1
ended.
LDAP Session Denied Indicates that an LDAP 3
session was denied.
LDAP Session Status Indicates that an LDAP 1
session status message was
reported.
LDAP Authentication Failed Indicates that an LDAP 4
authentication failed.
LDAP Authentication Indicates that an LDAP 1
Succeeded authentication was
successful.
AAA Session Started Indicates that an 1
Authentication,
Authorization, and
Accounting (AAA) session
started.
AAA Session Ended Indicates that an AAA 1
session ended.
AAA Session Denied Indicates that an AAA 3
session was denied.
AAA Session Status Indicates that an AAA 1
session status message was
reported.
AAA Authentication Failed Indicates that an AAA 4
authentication failed.
AAA Authentication Indicates that an AAA 1
Succeeded authentication was
successful.
IPSEC Authentication Failed Indicates that an Internet 4
Protocol Security (IPSEC)
authentication failed.
IPSEC Authentication Indicates that an IPSEC 1
Succeeded authentication was
successful.

Chapter 14. Event categories 185

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
IPSEC Session Started Indicates that an IPSEC 1
session started.
IPSEC Session Ended Indicates that an IPSEC 1
session ended.
IPSEC Error Indicates that an IPSEC error 5
message was reported.
IPSEC Status Indicates that an IPSEC 1
session status message was
reported.
IM Session Opened Indicates that an Instant 1
Messenger (IM) session was
established.
IM Session Closed Indicates that an IM session 1
was closed.
IM Session Reset Indicates that an IM session 3
was reset.
IM Session Terminated Indicates that an IM session 3
was terminated.
IM Session Denied Indicates that an IM session 3
was denied.
IM Session In Progress Indicates that an IM session 1
is in progress.
IM Session Delayed Indicates that an IM session 3
was delayed
IM Session Redirected Indicates that an IM session 3
was redirected.
WHOIS Session Opened Indicates that a WHOIS 1
session was established.
WHOIS Session Closed Indicates that a WHOIS 1
session was closed.
WHOIS Session Reset Indicates that a WHOIS 3
session was reset.
WHOIS Session Terminated Indicates that a WHOIS 3
session was terminated.
WHOIS Session Denied Indicates that a WHOIS 3
session was denied.
WHOIS Session In Progress Indicates that a WHOIS 1
session is in progress.
WHOIS Session Redirected Indicates that a WHOIS 3
session was redirected.
Traceroute Session Opened Indicates that a Traceroute 1
session was established.
Traceroute Session Closed Indicates that a Traceroute 1
session was closed.
Traceroute Session Denied Indicates that a Traceroute 3
session was denied.
Traceroute Session In Indicates that a Traceroute 1
Progress session is in progress.

186 QRadar Log Manager Administration Guide

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
TN3270 Session Opened TN3270 is a terminal 1
emulation program, which is
used to connect to an IBM
3270 terminal. This category
indicates that a TN3270
session was established.
TN3270 Session Closed Indicates that a TN3270 1
session was closed.
TN3270 Session Reset Indicates that a TN3270 3
session was reset.
TN3270 Session Terminated Indicates that a TN3270 3
session was terminated.
TN3270 Session Denied Indicates that a TN3270 3
session was denied.
TN3270 Session In Progress Indicates that a TN3270 1
session is in progress.
TFTP Session Opened Indicates that a TFTP session 1
was established.
TFTP Session Closed Indicates that a TFTP session 1
was closed.
TFTP Session Reset Indicates that a TFTP session 3
was reset.
TFTP Session Terminated Indicates that a TFTP session 3
was terminated.
TFTP Session Denied Indicates that a TFTP session 3
was denied.
TFTP Session In Progress Indicates that a TFTP session 1
is in progress.
Telnet Session Opened Indicates that a Telnet 1
session was established.
Telnet Session Closed Indicates that a Telnet 1
session was closed.
Telnet Session Reset Indicates that a Telnet 3
session was reset.
Telnet Session Terminated Indicates that a Telnet 3
session was terminated.
Telnet Session Denied Indicates that a Telnet 3
session was denied.
Telnet Session In Progress Indicates that a Telnet 1
session is in progress.
Syslog Session Opened Indicates that a syslog 1
session was established.
Syslog Session Closed Indicates that a syslog 1
session was closed.
Syslog Session Denied Indicates that a syslog 3
session was denied.
Syslog Session In Progress Indicates that a syslog 1
session is in progress.

Chapter 14. Event categories 187

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
SSL Session Opened Indicates that a Secure Socket 1
Layer (SSL) session was
established.
SSL Session Closed Indicates that an SSL session 1
was closed.
SSL Session Reset Indicates that an SSL session 3
was reset.
SSL Session Terminated Indicates that an SSL session 3
was terminated.
SSL Session Denied Indicates that an SSL session 3
was denied.
SSL Session In Progress Indicates that an SSL session 1
is in progress.
SNMP Session Opened Indicates that a Simple 1
Network Management
Protocol (SNMP) session was
established.
SNMP Session Closed Indicates that an SNMP 1
session was closed.
SNMP Session Denied Indicates that an SNMP 3
session was denied.
SNMP Session In Progress Indicates that an SNMP 1
session is in progress.
SMB Session Opened Indicates that a Server 1
Message Block (SMB) session
was established.
SMB Session Closed Indicates that an SMB 1
session was closed.
SMB Session Reset Indicates that an SMB 3
session was reset.
SMB Session Terminated Indicates that an SMB 3
session was terminated.
SMB Session Denied Indicates that an SMB 3
session was denied.
SMB Session In Progress Indicates that an SMB 1
session is in progress.
Streaming Media Session Indicates that a Streaming 1
Opened Media session was
established.
Streaming Media Session Indicates that a Streaming 1
Closed Media session was closed.
Streaming Media Session Indicates that a Streaming 3
Reset Media session was reset.
Streaming Media Session Indicates that a Streaming 3
Terminated Media session was
terminated.
Streaming Media Session Indicates that a Streaming 3
Denied Media session was denied.

188 QRadar Log Manager Administration Guide

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
Streaming Media Session In Indicates that a Streaming 1
Progress Media session is in progress.
RUSERS Session Opened Indicates that a (Remote 1
Users) RUSERS session was
established.
RUSERS Session Closed Indicates that a RUSERS 1
session was closed.
RUSERS Session Denied Indicates that a RUSERS 3
session was denied.
RUSERS Session In Progress Indicates that a RUSERS 1
session is in progress.
Rsh Session Opened Indicates that a remote shell 1
(rsh) session was established.
Rsh Session Closed Indicates that an rsh session 1
was closed.
Rsh Session Reset Indicates that an rsh session 3
was reset.
Rsh Session Terminated Indicates that an rsh session 3
was terminated.
Rsh Session Denied Indicates that an rsh session 3
was denied.
Rsh Session In Progress Indicates that an rsh session 1
is in progress.
RLOGIN Session Opened Indicates that a Remote 1
Login (RLOGIN) session was
established.
RLOGIN Session Closed Indicates that an RLOGIN 1
session was closed.
RLOGIN Session Reset Indicates that an RLOGIN 3
session was reset.
RLOGIN Session Terminated Indicates that an RLOGIN 3
session was terminated.
RLOGIN Session Denied Indicates that an RLOGIN 3
session was denied.
RLOGIN Session In Progress Indicates that an RLOGIN 1
session is in progress.
REXEC Session Opened Indicates that a (Remote 1
Execution) REXEC session
was established.
REXEC Session Closed Indicates that an REXEC 1
session was closed.
REXEC Session Reset Indicates that an REXEC 3
session was reset.
REXEC Session Terminated Indicates that an REXEC 3
session was terminated.
REXEC Session Denied Indicates that an REXEC 3
session was denied.

Chapter 14. Event categories 189

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
REXEC Session In Progress Indicates that an REXEC 1
session is in progress.
RPC Session Opened Indicates that a Remote 1
Procedure Call (RPC) session
was established.
RPC Session Closed Indicates that an RPC session 1
was closed.
RPC Session Reset Indicates that an RPC session 3
was reset.
RPC Session Terminated Indicates that an RPC session 3
was terminated.
RPC Session Denied Indicates that an RPC session 3
was denied.
RPC Session In Progress Indicates that an RPC session 1
is in progress.
NTP Session Opened Indicates that a Network 1
Time Protocol (NTP) session
was established.
NTP Session Closed Indicates that an NTP session 1
was closed.
NTP Session Reset Indicates that an NTP session 3
was reset.
NTP Session Terminated Indicates that an NTP session 3
was terminated.
NTP Session Denied Indicates that an NTP session 3
was denied.
NTP Session In Progress Indicates that an NTP session 1
is in progress.
NNTP Session Opened Indicates that a Network 1
News Transfer Protocol
(NNTP) session was
established.
NNTP Session Closed Indicates that an NNTP 1
session was closed.
NNTP Session Reset Indicates that an NNTP 3
session was reset.
NNTP Session Terminated Indicates that an NNTP 3
session was terminated.
NNTP Session Denied Indicates that an NNTP 3
session was denied.
NNTP Session In Progress Indicates that an NNTP 1
session is in progress.
NFS Session Opened Indicates that a Network File 1
System (NFS) session was
established.
NFS Session Closed Indicates that an NFS session 1
was closed.

190 QRadar Log Manager Administration Guide

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
NFS Session Reset Indicates that an NFS session 3
was reset.
NFS Session Terminated Indicates that an NFS session 3
was terminated.
NFS Session Denied Indicates that an NFS session 3
was denied.
NFS Session In Progress Indicates that an NFS session 1
is in progress.
NCP Session Opened Indicates that a Network 1
Control Program (NCP)
session was established.
NCP Session Closed Indicates that an NCP 1
session was closed.
NCP Session Reset Indicates that an NCP 3
session was reset.
NCP Session Terminated Indicates that an NCP 3
session was terminated.
NCP Session Denied Indicates that an NCP 3
session was denied.
NCP Session In Progress Indicates that an NCP 1
session is in progress.
NetBIOS Session Opened Indicates that a NetBIOS 1
session was established.
NetBIOS Session Closed Indicates that a NetBIOS 1
session was closed.
NetBIOS Session Reset Indicates that a NetBIOS 3
session was reset.
NetBIOS Session Terminated Indicates that a NetBIOS 3
session was terminated.
NetBIOS Session Denied Indicates that a NetBIOS 3
session was denied.
NetBIOS Session In Progress Indicates that a NetBIOS 1
session is in progress.
MODBUS Session Opened Indicates that a MODBUS 1
session was established.
MODBUS Session Closed Indicates that a MODBUS 1
session was closed.
MODBUS Session Reset Indicates that a MODBUS 3
session was reset.
MODBUS Session Indicates that a MODBUS 3
Terminated session was terminated.
MODBUS Session Denied Indicates that a MODBUS 3
session was denied.
MODBUS Session In Indicates that a MODBUS 1
Progress session is in progress.
LPD Session Opened Indicates that a Line Printer 1
Daemon (LPD) session was
established.

Chapter 14. Event categories 191

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
LPD Session Closed Indicates that an LPD session 1
was closed.
LPD Session Reset Indicates that an LPD session 3
was reset.
LPD Session Terminated Indicates that an LPD session 3
was terminated.
LPD Session Denied Indicates that an LPD session 3
was denied.
LPD Session In Progress Indicates that an LPD session 1
is in progress.
Lotus Notes® Session Indicates that a Lotus Notes 1
Opened session was established.
Lotus Notes Session Closed Indicates that a Lotus Notes 1
session was closed.
Lotus Notes Session Reset Indicates that a Lotus Notes 3
session was reset.
Lotus Notes Session Indicates that a Lotus Notes 3
Terminated session was terminated.
Lotus Notes Session Denied Indicates that a Lotus Notes 3
session was denied.
Lotus Notes Session In Indicates that a Lotus Notes 1
Progress session is in progress.
Kerberos Session Opened Indicates that a Kerberos 1
session was established.
Kerberos Session Closed Indicates that a Kerberos 1
session was closed.
Kerberos Session Reset Indicates that a Kerberos 3
session was reset.
Kerberos Session Terminated Indicates that a Kerberos 3
session was terminated.
Kerberos Session Denied Indicates that a Kerberos 3
session was denied.
Kerberos Session In Progress Indicates that a Kerberos 1
session is in progress.
IRC Session Opened Indicates that an Internet 1
Relay Chat (IRC) session was
established.
IRC Session Closed Indicates that an IRC session 1
was closed.
IRC Session Reset Indicates that an IRC session 3
was reset.
IRC Session Terminated Indicates that an IRC session 3
was terminated.
IRC Session Denied Indicates that an IRC session 3
was denied.
IRC Session In Progress Indicates that an IRC session 1
is in progress.

192 QRadar Log Manager Administration Guide

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
IEC 104 Session Opened Indicates that an IEC 104 1
session was established.
IEC 104 Session Closed Indicates that an IEC 104 1
session was closed.
IEC 104 Session Reset Indicates that an IEC 104 3
session was reset.
IEC 104 Session Terminated Indicates that an IEC 104 3
session was terminated.
IEC 104 Session Denied Indicates that an IEC 104 3
session was denied.
IEC 104 Session In Progress Indicates that an IEC 104 1
session is in progress.
Ident Session Opened Indicates that a TCP Client 1
Identity Protocol (Ident)
session was established.
Ident Session Closed Indicates that an Ident 1
session was closed.
Ident Session Reset Indicates that an Ident 3
session was reset.
Ident Session Terminated Indicates that an Ident 3
session was terminated.
Ident Session Denied Indicates that an Ident 3
session was denied.
Ident Session In Progress Indicates that an Ident 1
session is in progress.
ICCP Session Opened Indicates that an 1
Inter-Control Center
Communications Protocol
(ICCP) session was
established.
ICCP Session Closed Indicates that an ICCP 1
session was closed.
ICCP Session Reset Indicates that an ICCP 3
session was reset.
ICCP Session Terminated Indicates that an ICCP 3
session was terminated.
ICCP Session Denied Indicates that an ICCP 3
session was denied.
ICCP Session In Progress Indicates that an ICCP 1
session is in progress.
GroupWiseSession Opened Indicates that a 1
GroupWisesession was
established.
GroupWiseSession Closed Indicates that a GroupWise 1
session was closed.
GroupWiseSession Reset Indicates that a 3
GroupWisesession was reset.

Chapter 14. Event categories 193

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
GroupWiseSession Indicates that a 3
Terminated GroupWisesession was
terminated.
GroupWiseSession Denied Indicates that a GroupWise 3
session was denied.
GroupWiseSession In Indicates that a GroupWise 1
Progress session is in progress.
Gopher Session Opened Indicates that a Gopher 1
session was established.
Gopher Session Closed Indicates that a Gopher 1
session was closed.
Gopher Session Reset Indicates that a Gopher 3
session was reset.
Gopher Session Terminated Indicates that a Gopher 3
session was terminated.
Gopher Session Denied Indicates that a Gopher 3
session was denied.
Gopher Session In Progress Indicates that a Gopher 1
session is in progress.
GIOP Session Opened Indicates that a General 1
Inter-ORB Protocol (GIOP)
session was established.
GIOP Session Closed Indicates that a GIOP session 1
was closed.
GIOP Session Reset Indicates that a GIOP session 3
was reset.
GIOP Session Terminated Indicates that a GIOP session 3
was terminated.
GIOP Session Denied Indicates that a GIOP session 3
was denied.
GIOP Session In Progress Indicates that a GIOP session 1
is in progress.
Finger Session Opened Indicates that a Finger 1
session was established.
Finger Session Closed Indicates that a Finger 1
session was closed.
Finger Session Reset Indicates that a Finger 3
session was reset.
Finger Session Terminated Indicates that a Finger 3
session was terminated.
Finger Session Denied Indicates that a Finger 3
session was denied.
Finger Session In Progress Indicates that a Finger 1
session is in progress.
Echo Session Opened Indicates that an Echo 1
session was established.
Echo Session Closed Indicates that an Echo 1
session was closed.

194 QRadar Log Manager Administration Guide

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
Echo Session Denied Indicates that an Echo 3
session was denied.
Echo Session In Progress Indicates that an Echo 1
session is in progress.
Remote .NET Session Indicates that a Remote .NET 1
Opened session was established.
Remote .NET Session Closed Indicates that a Remote .NET 1
session was closed.
Remote .NET Session Reset Indicates that a Remote .NET 3
session was reset.
Remote .NET Session Indicates that a Remote .NET 3
Terminated session was terminated.
Remote .NET Session Denied Indicates that a Remote .NET 3
session was denied.
Remote .NET Session In Indicates that a Remote .NET 1
Progress session is in progress.
DNP3 Session Opened Indicates that a Distributed 1
Network Proctologic (DNP3)
session was established.
DNP3 Session Closed Indicates that a DNP3 1
session was closed.
DNP3 Session Reset Indicates that a DNP3 3
session was reset.
DNP3 Session Terminated Indicates that a DNP3 3
session was terminated.
DNP3 Session Denied Indicates that a DNP3 3
session was denied.
DNP3 Session In Progress Indicates that a DNP3 1
session is in progress.
Discard Session Opened Indicates that a Discard 1
session was established.
Discard Session Closed Indicates that a Discard 1
session was closed.
Discard Session Reset Indicates that a Discard 3
session was reset.
Discard Session Terminated Indicates that a Discard 3
session was terminated.
Discard Session Denied Indicates that a Discard 3
session was denied.
Discard Session In Progress Indicates that a Discard 1
session is in progress.
DHCP Session Opened Indicates that a Dynamic 1
Host Configuration Protocol
(DHCP) session was
established.
DHCP Session Closed Indicates that a DHCP 1
session was closed.

Chapter 14. Event categories 195

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
DHCP Session Denied Indicates that a DHCP 3
session was denied.
DHCP Session In Progress Indicates that a DHCP 1
session is in progress.
DHCP Success Indicates that a DHCP lease 1
was successfully obtained
DHCP Failure Indicates that a DHCP lease 3
cannot be obtained.
CVS Session Opened Indicates that a Concurrent 1
Versions System (CVS)
session was established.
CVS Session Closed Indicates that a CVS session 1
was closed.
CVS Session Reset Indicates that a CVS session 3
was reset.
CVS Session Terminated Indicates that a CVS session 3
was terminated.
CVS Session Denied Indicates that a CVS session 3
was denied.
CVS Session In Progress Indicates that a CVS session 1
is in progress.
CUPS Session Opened Indicates that a Common 1
UNIX Printing System
(CUPS) session was
established.
CUPS Session Closed Indicates that a CUPS session 1
was closed.
CUPS Session Reset Indicates that a CUPS session 3
was reset.
CUPS Session Terminated Indicates that a CUPS session 3
was terminated.
CUPS Session Denied Indicates that a CUPS session 3
was denied.
CUPS Session In Progress Indicates that a CUPS session 1
is in progress.
Chargen Session Started Indicates that a Character 1
Generator (Chargen) session
was started.
Chargen Session Closed Indicates that a Chargen 1
session was closed.
Chargen Session Reset Indicates that a Chargen 3
session was reset.
Chargen Session Terminated Indicates that a Chargen 3
session was terminated.
Chargen Session Denied Indicates that a Chargen 3
session was denied.
Chargen Session In Progress Indicates that a Chargen 1
session is in progress.

196 QRadar Log Manager Administration Guide

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
Misc VPN Indicates that a 1
miscellaneous VPN session
was detected
DAP Session Started Indicates that a DAP session 1
was established.
DAP Session Ended Indicates that a DAP session 1
ended.
DAP Session Denied Indicates that a DAP session 3
was denied.
DAP Session Status Indicates that a DAP session 1
status request was made.
DAP Session in Progress Indicates that a DAP session 1
is in progress.
DAP Authentication Failed Indicates that a DAP 4
authentication failed.
DAP Authentication Indicates that DAP 1
Succeeded authentication succeeded.
TOR Session Started Indicates that a TOR session 1
was established.
TOR Session Closed Indicates that a TOR session 1
was closed.
TOR Session Reset Indicates that a TOR session 3
was reset.
TOR Session Terminated Indicates that a TOR session 3
was terminated.
TOR Session Denied Indicates that a TOR session 3
was denied.
TOR Session In Progress Indicates that a TOR session 1
is in progress.
Game Session Started Indicates that a game session 1
was started.
Game Session Closed Indicates that a game session 1
was closed.
Game Session Reset Indicates that a game session 3
was reset.
Game Session Terminated Indicates that a game session 3
was terminated.
Game Session Denied Indicates that a game session 3
was denied.
Game Session In Progress Indicates that a game session 1
is in progress.
Admin Login Attempt Indicates that an attempt to 2
log in as an administrative
user was detected.
User Login Attempt Indicates that an attempt to 2
log in as a
non-administrative user was
detected.

Chapter 14. Event categories 197

Table 74. Low-level categories and severity levels for the application category (continued)
Low-level event category Description Severity level (0 - 10)
Client Server Indicates client/server 1
activity.
Content Delivery Indicates content delivery 1
activity.
Data Transfer Indicates a data transfer. 3
Data Warehousing Indicates data warehousing 3
activity.
Directory Services Indicates directory service 2
activity.
File Print Indicates file print activity. 1
File Transfer Indicates file transfer. 2
Games Indicates game activity. 4
Healthcare Indicates healthcare activity. 1
Inner System Indicates inner system 1
activity.
Internet Protocol Indicates Internet Protocol 1
activity.
Legacy Indicates legacy activity. 1
Mail Indicates mail activity. 1
Misc Indicates miscellaneous 2
activity.
Multimedia Indicates multimedia activity. 2
Network Management Indicates network
management activity.
P2P Indicates Peer-to-Peer (P2P) 4
activity.
Remote Access Indicates Remote Access 3
activity.
Routing Protocols Indicates routing protocol 1
activity.
Security Protocols Indicates security protocol 2
activity.
Streaming Indicates streaming activity. 2
Uncommon Protocol Indicates uncommon 3
protocol activity.
VoIP Indicates VoIP activity. 1
Web Indicates web activity. 1
ICMP Indicates ICMP activity 1

Audit
The audit category contains events that are related to audit activity, such as email
or FTP activity.

198 QRadar Log Manager Administration Guide

The following table describes the low-level event categories and associated severity
levels for the audit category.
Table 75. Low-level categories and severity levels for the audit category
Low-level event category Description Severity level (0 - 10)
General Audit Event Indicates that a general audit 1
event was started.
Built-in Execution Indicates that a built-in audit 1
task was run.
Bulk Copy Indicates that a bulk copy of 1
data was detected.
Data Dump Indicates that a data dump 1
was detected.
Data Import Indicates that a data import 1
was detected.
Data Selection Indicates that a data selection 1
process was detected.
Data Truncation Indicates that the data 1
truncation process was
detected.
Data Update Indicates that the data 1
update process was detected.
Procedure/Trigger Execution Indicates that the database 1
procedure or trigger
execution was detected.
Schema Change Indicates that the schema for 1
a procedure or trigger
execution was altered.

Control
The control category contains events that are related to your hardware system.

The following table describes the low-level event categories and associated severity
levels for the control category.
Table 76. Low-level categories and severity levels for the control category
Low-level event category Description Severity level (0 - 10)
Device Read Indicates that a device was 1
read.
Device Communication Indicates communication 1
with a device.
Device Audit Indicates that a device audit 1
occurred.
Device Event Indicates that a device event 1
occurred.
Device Ping Indicates that a ping action 1
to a device occurred.
Device Configuration Indicates that a device was 1
configured.

Chapter 14. Event categories 199

Table 76. Low-level categories and severity levels for the control category (continued)
Low-level event category Description Severity level (0 - 10)
Device Route Indicates that a device route 1
action occurred.
Device Import Indicates that a device 1
import occurred.
Device Information Indicates that a device 1
information action occurred.
Device Warning Indicates that a warning was 1
generated on a device.
Device Error Indicates that an error was 1
generated on a device.
Relay Event Indicates a relay event. 1
NIC Event Indicates a Network Interface 1
Card (NIC) event.
UIQ Event Indicates an event on a 1
mobile device.
IMU Event Indicates an event on an 1
Integrated Management Unit
(IMU).
Billing Event Indicates a billing event. 1
DBMS Event Indicates an event on the 1
Database Management
System (DBMS).
Import Event Indicates that an import 1
occurred.
Location Import Indicates that a location 1
import occurred.
Route Import Indicates that a route import 1
occurred.
Export Event Indicates that an export 1
occurred.
Remote Signalling Indicates remote signaling. 1
Gateway Status Indicates gateway status. 1
Job Event Indicates that a job occurred. 1
Security Event Indicates that a security 1
event occurred.
Device Tamper Detection Indicates that the system 1
detected a tamper action.
Time Event Indicates that a time event 1
occurred.
Suspicious Behavior Indicates that suspicious 1
behavior occurred.
Power Outage Indicates that a power 1
outage occurred.
Power Restoration Indicates that power was 1
restored.
Heartbeat Indicates that a heartbeat 1
ping occurred.

200 QRadar Log Manager Administration Guide

Table 76. Low-level categories and severity levels for the control category (continued)
Low-level event category Description Severity level (0 - 10)
Remote Connection Event Indicates a remote 1
connection to the system.

Asset Profiler
The asset profiler category contains events that are related to asset profiles.

The following table describes the low-level event categories and associated severity
levels for the asset profiler category.
Table 77. Low-level categories and severity levels for the asset profiler category
Low-level event category Description Severity level (0 - 10)
Asset Created Indicates that an asset was 1
created.
Asset Updated Indicates that an asset was 1
updated.
Asset Observed Indicates that an asset was 1
observed.
Asset Moved Indicates that an asset was 1
moved.
Asset Deleted Indicates that an asset was 1
deleted.
Asset Hostname Cleaned Indicates that a host name 1
was cleaned.
Asset Hostname Created Indicates that a host name 1
was created.
Asset Hostname Updated Indicates that a host name 1
was updated.
Asset Hostname Observed Indicates that a host name 1
was observed.
Asset Hostname Moved Indicates that a host name 1
was moved.
Asset Hostname Deleted Indicates that a host name 1
was deleted.
Asset Port Cleaned Indicates that a port was 1
cleaned.
Asset Port Created Indicates that a port was 1
created.
Asset Port Updated Indicates that a port was 1
updated.
Asset Port Observed Indicates that a port was 1
observed.
Asset Port Moved Indicates that a port was 1
moved.
Asset Port Deleted Indicates that a port was 1
deleted.
Asset Vuln Instance Cleaned Indicates that a vulnerability 1
instance was cleaned.

Chapter 14. Event categories 201

Table 77. Low-level categories and severity levels for the asset profiler category (continued)
Low-level event category Description Severity level (0 - 10)
Asset Vuln Instance Created Indicates that a vulnerability 1
instance was created.
Asset Vuln Instance Updated Indicates that a vulnerability 1
instance was updated.
Asset Vuln Instance Indicates that a vulnerability 1
Observed instance was observed.
Asset Vuln Instance Moved Indicates that a vulnerability 1
instance was moved.
Asset Vuln Instance Deleted Indicates that a vulnerability 1
instance was deleted.
Asset OS Cleaned Indicates that an operating 1
system was cleaned.
Asset OS Created Indicates that an operating 1
system was created.
Asset OS Updated Indicates that an operating 1
system was updated.
Asset OS Observed Indicates that an operating 1
system was observed.
Asset OS Moved Indicates that an operating 1
system was moved.
Asset OS Deleted Indicates that an operating 1
system was deleted.
Asset Property Cleaned Indicates that a property was 1
cleaned.
Asset Property Created Indicates that a property was 1
created.
Asset Property Updated Indicates that a property was 1
updated.
Asset Property Observed Indicates that a property was 1
observed.
Asset Property Moved Indicates that a property was 1
moved.
Asset Property Deleted Indicates that a property was 1
moved.
Asset IP Address Cleaned Indicates that an IP address 1
was cleaned.
Asset IP Address Created Indicates that an IP address 1
was created.
Asset IP Address Updated Indicates that an IP address 1
was updated.
Asset IP Address Observed Indicates that an IP address 1
was observed.
Asset IP Address Moved Indicates that an IP address 1
was moved.
Asset IP Address Deleted Indicates that an IP address 1
was deleted.

202 QRadar Log Manager Administration Guide

Table 77. Low-level categories and severity levels for the asset profiler category (continued)
Low-level event category Description Severity level (0 - 10)
Asset Interface Cleaned Indicates that an interface 1
was cleaned.
Asset Interface Created Indicates that an interface 1
was created.
Asset Interface Updated Indicates that an interface 1
was updated.
Asset Interface Observed Indicates that an interface 1
was observed.
Asset Interface Moved Indicates that an interface 1
was moved.
Asset Interface Merged Indicates that an interface 1
was merged.
Asset Interface Deleted Indicates that an interface 1
was deleted.
Asset User Cleaned Indicates that a user was 1
cleaned.
Asset User Observed Indicates that a user was 1
observed.
Asset User Moved Indicates that a user was 1
moved.
Asset User Deleted Indicates that a user was 1
deleted.
Asset Scanned Policy Indicates that a scanned 1
Cleaned policy was cleaned.
Asset Scanned Policy Indicates that a scanned 1
Observed policy was observed.
Asset Scanned Policy Moved Indicates that a scanned 1
policy was moved.
Asset Scanned Policy Deleted Indicates that a scanned 1
policy was deleted.
Asset Windows Application Indicates that a Windows 1
Cleaned application was cleaned.
Asset Windows Application Indicates that a Windows 1
Observed application was observed.
Asset Windows Application Indicates that a Windows 1
Moved application was moved.
Asset Windows Application Indicates that a Windows 1
Deleted application was deleted.
Asset Scanned Service Indicates that a scanned 1
Cleaned service was cleaned.
Asset Scanned Service Indicates that a scanned 1
Observed service was observed.
Asset Scanned Service Indicates that a scanned 1
Moved service was moved.
Asset Scanned Service Indicates that a scanned 1
Deleted service was deleted.

Chapter 14. Event categories 203

Table 77. Low-level categories and severity levels for the asset profiler category (continued)
Low-level event category Description Severity level (0 - 10)
Asset Windows Patch Indicates that a Windows 1
Cleaned patch was cleaned.
Asset Windows Patch Indicates that a Windows 1
Observed patch was observed.
Asset Windows Patch Moved Indicates that a Windows 1
patch was moved.
Asset Windows Patch Indicates that a Windows 1
Deleted patch was deleted.
Asset UNIX Patch Cleaned Indicates that a UNIX patch 1
was cleaned.
Asset UNIX Patch Observed Indicates that a UNIX patch 1
was observed.
Asset UNIX Patch Moved Indicates that a UNIX patch 1
was moved.
Asset UNIX Patch Deleted Indicates that a UNIX patch 1
was deleted.
Asset Patch Scan Cleaned Indicates that a patch scan 1
was cleaned.
Asset Patch Scan Created Indicates that a patch scan 1
was created.
Asset Patch Scan Moved Indicates that a patch scan 1
was moved.
Asset Patch Scan Deleted Indicates that a patch scan 1
was deleted.
Asset Port Scan Cleaned Indicates that a port scan 1
was cleaned.
Asset Port Scan Created Indicates that a port scan 1
was cleaned.
Asset Port Scan Moved Indicates that a patch scan 1
was moved.
Asset Port Scan Deleted Indicates that a patch scan 1
was deleted.
Asset Client Application Indicates that a client 1
Cleaned application was cleaned.
Asset Client Application Indicates that a client 1
Observed application was observed.
Asset Client Application Indicates that a client 1
Moved application was moved.
Asset Client Application Indicates that a client 1
Deleted application was deleted.
Asset Patch Scan Observed Indicates that a patch scan 1
was observed.
Asset Port Scan Observed Indicates that a port scan 1
was observed.

204 QRadar Log Manager Administration Guide

Chapter 15. Ports used by QRadar
Review the common ports that are used by IBM Security QRadar, services, and
components.

For example, you can determine the ports that must be opened for the QRadar
Console to communicate with remote Event Processors.

Ports and iptables

The listen ports for QRadar are valid only when iptables is enabled on your
QRadar system.

SSH communication on port 22

All the ports that are described in following table can be tunneled, by encryption,
through port 22 over SSH. Managed hosts that use encryption can establish
multiple bidirectional SSH sessions to communicate securely. These SSH sessions
are initiated from the managed host to provide data to the host that needs the data
in the deployment. For example, Event Processor appliances can initiate multiple
SSH sessions to the QRadar Console for secure communication. This
communication can include tunneled ports over SSH, such as HTTPS data for port
443 and Ariel query data for port 32006. QRadar QFlow Collectors that use
encryption can initiate SSH sessions to Flow Processor appliances that require data.

QRadar ports

Unless otherwise noted, information about the assigned port number, descriptions,
protocols, and the signaling direction for the port applies to all IBM Security
QRadar products.

The following table lists the ports, protocols, communication direction, description,
and the reason that the port is used.

Table 78. Listening ports that are used by QRadar, services, and components
Port Description Protocol Direction Requirement
22 SSH TCP Bidirectional from the QRadar Remote management
Console to all other access
components.
Adding a remote
system as a managed
host

Log source protocols

to retrieve files from
external devices, for
example the log file
protocol

Users who use the

command-line
interface to
communicate from
desktops to the
Console

High-availability
(HA)
25 SMTP TCP From all managed hosts to the Emails from QRadar
SMTP gateway to an SMTP gateway

Delivery of error and

warning email
messages to an
administrative email
contact
37 rdate (time) UDP/TCP All systems to the QRadar Time synchronization
Console between the QRadar
Console and managed
QRadar Console to the NTP hosts
or rdate server
80 Apache/HTTPS TCP Users that connect to the Communication and
QRadar Console downloads from the
QRadar Console to
Users that connect to the desktops
QRadar Deployment Editor
The Deployment
Editor application to
download and show
deployment
information
111 Port mapper TCP/UDP Managed hosts that Remote Procedure
communicate to the QRadar Calls (RPC) for
Console required services,
such as Network File
Users that connect to the System (NFS)
QRadar Console

206 QRadar Log Manager Administration Guide

Table 78. Listening ports that are used by QRadar, services, and components (continued)
Port Description Protocol Direction Requirement
135 and DCOM TCP WinCollect agents and This traffic is
dynamically Windows operating systems generated by
allocated that are remotely polled for WinCollect, Microsoft
ports above events. Security Event Log
1024 for RPC Protocol, or Adaptive
calls. Bidirectional traffic between Log Exporter.
QRadar Console components Note: DCOM
or Event Collectors that use typically allocates a
the Microsoft Security Event random port range
Log Protocol and Windows for communication.
operating systems that are You can configure
remotely polled for events. Microsoft Windows
products to use a
Bidirectional traffic between specific port. For
Adaptive Log Exporter agents more information, see
and Windows operating your Microsoft
systems that are remotely Windows
polled for events. documentation.
137 Windows NetBIOS UDP Bidirectional traffic between This traffic is
name service WinCollect agents and generated by
Windows operating systems WinCollect, Microsoft
that are remotely polled for Security Event Log
events Protocol, or Adaptive
Log Exporter.
Bidirectional traffic between
QRadar Console components
or Event Collectors that use
the Microsoft Security Event
Log Protocol and Windows
operating systems that are
remotely polled for events.

Bidirectional traffic between

Adaptive Log Exporter agents
and Windows operating
systems that are remotely
polled for events
138 Windows NetBIOS UDP Bidirectional traffic between This traffic is
datagram service WinCollect agents and generated by
Windows operating systems WinCollect, Microsoft
that are remotely polled for Security Event Log
events Protocol, or Adaptive
Log Exporter..
Bidirectional traffic between
QRadar Console components
or Event Collectors that use
the Microsoft Security Event
Log Protocol and Windows
operating systems that are
remotely polled for events.

Bidirectional traffic between

Adaptive Log Exporter agents
and Windows operating
systems that are remotely
polled for events

Chapter 15. Ports used by QRadar 207

Table 78. Listening ports that are used by QRadar, services, and components (continued)
Port Description Protocol Direction Requirement
139 Windows NetBIOS TCP Bidirectional traffic between This traffic is
session service WinCollect agents and generated by
Windows operating systems WinCollect, Microsoft
that are remotely polled for Security Event Log
events Protocol, or Adaptive
Log Exporter.
Bidirectional traffic between
QRadar Console components
or Event Collectors that use
the Microsoft Security Event
Log Protocol and Windows
operating systems that are
remotely polled for events.

Bidirectional traffic between

Adaptive Log Exporter agents
and Windows operating
systems that are remotely
polled for events
199 NetSNMP TCP QRadar managed hosts that TCP port for the
connect to the QRadar NetSNMP daemon
Console that listens for
communications (v1,
External log sources to v2c, and v3) from
QRadar Event Collectors external log sources
443 Apache/HTTPS TCP Bidirectional traffic for secure Configuration
communications from all downloads to
products to the QRadar managed hosts from
Console the QRadar Console

QRadar managed
hosts that connect to
the QRadar Console

Users to have log in

access to QRadar

QRadar Console that

manage and provide
configuration updates
WinCollect agents
445 Microsoft Directory TCP Bidirectional traffic between This traffic is
Service WinCollect agents and generated by
Windows operating systems WinCollect, Microsoft
that are remotely polled for Security Event Log
events Protocol, or Adaptive
Log Exporter.
Bidirectional traffic between
QRadar Console components
or Event Collectors that use
the Microsoft Security Event
Log Protocol and Windows
operating systems that are
remotely polled for events

Bidirectional traffic between

Adaptive Log Exporter agents
and Windows operating
systems that are remotely
polled for events

208 QRadar Log Manager Administration Guide

Table 78. Listening ports that are used by QRadar, services, and components (continued)
Port Description Protocol Direction Requirement
514 Syslog UDP/TCP External network appliances External log sources
that provide TCP syslog to send event data to
events use bidirectional traffic. QRadar components

External network appliances Syslog traffic includes

that provide UDP syslog WinCollect agents
events use uni-directional and Adaptive Log
traffic. Exporter agents
capable of sending
either UDP or TCP
events to QRadar
762 Network File TCP/UDP Connections between the The Network File
System (NFS) QRadar Console and NFS System (NFS) mount
mount daemon server daemon, which
(mountd) processes requests to
mount a file system at
a specified location
1514 Syslog-ng TCP/UDP Connection between the local Internal logging port
Event Collector component for syslog-ng
and local Event Processor
component to the syslog-ng
daemon for logging
2049 NFS TCP Connections between the The Network File
QRadar Console and NFS System (NFS)
server protocol to share files
or data between
components
2055 NetFlow data UDP From the management NetFlow datagram
interface on the flow source from components,
(typically a router) to the such as routers
QRadar QFlow Collector.
4333 Redirect port TCP This port is assigned
as a redirect port for
Address Resolution
Protocol (ARP)
requests in QRadar
offense resolution
5432 Postgres TCP Communication for the Required for
managed host that is used to provisioning managed
access the local database hosts from the Admin
instance tab
6543 High-availability TCP/UDP Bidirectional between the Heartbeat ping from a
heartbeat secondary host and primary secondary host to a
host in an HA cluster primary host in an
HA cluster to detect
hardware or network
failure
7676, 7677, Messaging TCP Message queue Message queue
and four connections (IMQ) communications between broker for
randomly components on a managed communications
bound ports host. between components
above 32000. on a managed host

Ports 7676 and 7677

are static TCP ports
and four extra
connections are
created on random
ports.

Chapter 15. Ports used by QRadar 209

Table 78. Listening ports that are used by QRadar, services, and components (continued)
Port Description Protocol Direction Requirement
7777 - 7782, JMX server ports TCP Internal communications, JMX server (Mbean)
7790, 7791 these ports are not available monitoring for ECS,
externally hostcontext, Tomcat,
VIS, reporting, ariel,
and accumulator
services
Note: These ports are
used by QRadar
support.
7789 HA Distributed TCP/UDP Bidirectional between the Distributed Replicated
Replicated Block secondary host and primary Block Device (DRBD)
Device (DRBD) host in an HA cluster used to keep drives
synchronized between
the primary and
secondary hosts in
HA configurations
7800 Apache Tomcat TCP From the Event Collector to Real-time (streaming)
the QRadar Console for events
7801 Apache Tomcat TCP From the Event Collector to Real-time (streaming)
the QRadar Console for flows
7803 Apache Tomcat TCP From the Event Collector to Anomaly detection
the QRadar Console engine port
8000 Event Collection TCP From the Event Collector to Listening port for
service (ECS) the QRadar Console specific Event
Collection service
(ECS).
8001 SNMP daemon UDP External SNMP systems that UDP listening port for
port request SNMP trap external SNMP data
information from the QRadar requests.
Console
8005 Apache Tomcat TCP None A local port that is
not used by QRadar
8009 Apache Tomcat TCP From the HTTP daemon Tomcat connector,
(HTTPd) process to Tomcat where the request is
used and proxied for
the web service
8080 Apache Tomcat TCP From the HTTP daemon Tomcat connector,
(HTTPd) process to Tomcat where the request is
used and proxied for
the web service.
9995 NetFlow data UDP From the management NetFlow datagram
interface on the flow source from components,
(typically a router) to the such as routers
QFlow Collector
10000 QRadar TCP/UDP User desktop systems to all Server changes, such
web-based, system QRadar hosts as the hosts root
administration password and firewall
interface access
23111 SOAP web server TCP SOAP web server
port for the event
collection service
(ECS)
23333 Emulex Fibre TCP User desktop systems that Emulex Fibre Channel
Channel connect toQRadar appliances HBAnywhere Remote
with a Fibre Channel card Management service
(elxmgmt)

210 QRadar Log Manager Administration Guide

Table 78. Listening ports that are used by QRadar, services, and components (continued)
Port Description Protocol Direction Requirement
32004 Normalized event TCP Bidirectional between QRadar Normalized event
forwarding components data that is
communicated from
an off-site source or
between Event
Collectors
32005 Data flow TCP Bidirectional between QRadar Data flow
components communication port
between Event
Collectors when on
separate managed
hosts
32006 Ariel queries TCP Bidirectional between QRadar Communication port
components between the Ariel
proxy server and the
Ariel query server
32009 Identity data TCP Bidirectional between QRadar Identity data that is
components communicated
between the passive
vulnerability
information service
(VIS) and the Event
Collection service
(ECS)
32010 Flow listening TCP Bidirectional between QRadar Flow listening port to
source port components collect data from
QRadar QFlow
Collectors
32011 Ariel listening port TCP Bidirectional between QRadar Ariel listening port
components for database searches,
progress information,
and other associated
commands
32000-33999 Data flow (flows, TCP Bidirectional between QRadar Data flows, such as
events, flow components events, flows, flow
context) context, and event
search queries
40799 PCAP data TCP From Juniper Networks SRX Collecting incoming
Series appliances to QRadar packet capture
(PCAP) data from
Juniper Networks
SRX Series appliances.
Note: The packet
capture on your
device can use a
different port. For
more information
about configuring
packet capture, see
your Juniper
Networks SRX Series
appliance
documentation
ICMP ICMP Bidirectional traffic between Testing the network
the secondary host and connection between
primary host in an HA cluster the secondary host
and primary host in
an HA cluster by
using Internet Control
Message Protocol
(ICMP)

Chapter 15. Ports used by QRadar 211

Searching for ports in use by QRadar
Use the netstat command to determine which ports are in use on the QRadar
Console or managed host. Use the netstat command to view all listening and
established ports on the system.

Procedure
1. Using SSH, log in to your QRadar Console, as the root user.
2. To display all active connections and the TCP and UDP ports on which the
computer is listening, type the following command:
netstat -nap
3. To search for specific information from the netstat port list, type the following
command:
netstat -nap | grep port

Examples:
v To display all ports that match 199, type the following command: netstat
-nap | grep 199
v To display all postgres related ports, type the following command: netstat
-nap | grep postgres
v To display information on all listening ports, type the following command:
netstat -nap | grep LISTEN

Viewing IMQ port associations

You can view port numbers associations for messaging connections (IMQ)
application services are allocated. To look up the additional port numbers, connect
to the localhost by using telnet.

Important: Random port associations are not static port numbers. If a service is
restarted, the ports that generated for a service are reallocated and the service is
assigned a new set of port numbers.

Procedure
1. Using SSH to log in to the QRadar Console, as the root user.
2. To display a list of associated ports for the IMQ messaging connection, type the
following command:
telnet localhost 7676
3. If no information is displayed, press the Enter key to close the connection.

212 QRadar Log Manager Administration Guide

Glossary
This glossary includes terms and definitions for ARP See Address Resolution Protocol.
IBM Security QRadar.
ARP Redirect
ARP allows a host to determine the
See refers you from a term to a preferred
address of other devices on the LAN or
synonym, or from an acronym or abbreviation to
VLAN. A host can use ARP to identify the
the defined full form.
default gateway (router) or path off to the
VLAN. ARP Redirect allows QRadar to
To view glossaries for other IBM products, go to
notify a host if a problem exists with
www.ibm.com/software/globalization/
sending traffic to a system. This renders
terminology (opens in new window).
the host and network unusable until the
user intervenes.
“A” “B” “C” “D” on page 214 “E” on page 214
“F” on page 215 “G” on page 215 “H” on page Autonomous System Number (ASN)
215 “I” on page 216 “L” on page 216 “M” on An autonomous system is a collection of
page 217 “N” on page 217 “O” on page 217 “P” IP networks that all adhere to the same
on page 218 “Q” on page 218 “R” on page 218 specific and clearly defined routing policy.
“S” on page 218 “T” on page 219 “V” on page An Autonomous System Number (ASN)
220“W” on page 220 is a unique ID number assigned to each
autonomous system.
A
B
active system
In a High Availability (HA) cluster, the behavior
active system is the system with all Indicates the normal manner in which the
services running. Either the primary or system or network functions or operates.
secondary HA host can be the active host.
branding
If the secondary HA host is the active
A reporting option that enables a QRadar
host, failover has occurred.
user to upload custom logos for
accumulator customized reports.
The accumulator resides on the host that
contains an Event Processor to assist with
analyzing flows, events, reporting, writing
C
database data, and alerting a DSM.. CIDR See Classless Inter-Domain Routing.
Address Resolution Protocol (ARP) Classless Inter-Domain Routing (CIDR)
A protocol for mapping an Internet A member of a dimension whose measure
Protocol (IP) address to a physical host values are not stored but are calculated at
address recognized in the local network. run time using an expression.
For example, in IP Version 4, an address
is 32 bits long. In an Ethernet LAN, client The host that originates communication.
however, addresses for attached devices Cluster Virtual IP address
are 48 bits long. The Cluster Virtual IP address is the IP
anomaly address used to communicate with an HA
A deviation from expected behavior of the cluster. When you configure HA, the IP
network. address of the primary HA host becomes
the Cluster Virtual IP address. If the
application signature primary HA host fails, the Cluster Virtual
A unique set of characteristics or IP address will be assumed by the
properties, derived by the examination of secondary HA host.
packet payload, used to identify a specific
application

coalescing interval datapoint
The interval for coalescing (bundling) Any point on the QRadar charts where
events is 10 seconds, beginning with the data is extracted.
first event that does not match any
DHCP See Dynamic Host Configuration Protocol.
currently coalescing events. Within the
interval, the first three matching events Device Support Module (DSM)
are released immediately to the Event Device Support Modules (DSMs) allows
Processor and the fourth and subsequent you to integrate QRadar with log sources.
events are coalesced such that the
DNS See Domain Name System.
payload and other features are kept from
the fourth event. Each arrival of a DSM See Device Support Modules.
matching event during the interval
Domain Name System (DNS)
increments the event count of the fourth
An online, distributed database used to
event. At the end of the interval, the
map human-readable machine names into
coalesced event is released to the Event
an IP address for resolving machine
Processor and the next interval begins for
names to IP addresses.
matching events. If no matching events
arrive during this interval, the process duplicate flow
restarts. Otherwise, the coalescing When multiple QFlow Collectors detect
continues with all events counted and the same flow, this is referred to as a
released in 10 second intervals. duplicate flow. However, in this event, the
QFlow Collector drops the flow as a
Common Vulnerability Scoring System (CVSS)
duplicate so the Event Processor only
A CVSS score is an metric for assessing
receives one report on the flow.
the severity of a vulnerability. QRadar
uses CVSS scores to measure how much Dynamic Host Configuration Protocol (DHCP)
concern a vulnerability warrants in A protocol that allows dynamic
comparison to other vulnerabilities. assignment of IP addresses to customer
premise equipment.
console
Web interface for QRadar. QRadar is
accessed from a standard web browser. E
When you access the system, a prompt is
displayed for a user name and password, encryption
which must be configured in advance by Encryption provides greater security for
the QRadar administrator. all QRadar traffic between managed
hosts. When encryption is enabled for a
content capture managed host, encryption tunnels are
QFlow Collectors capture a configurable created for all client applications on a
amount of payload and store the data in managed host to provide protected access
the flow logs. You can view this data to the servers
using the Network Activity tab.
Event Collector
credibility Collects security events and flows from
Indicates the integrity of an event or various types of devices in your network.
offense as determined by the credibility The Event Collector gathers events and
rating that is configured in the log source. flows from local, remote, and device
Credibility increases as the multiple sources. The Event Collector then
sources report the same event. normalizes the events and flows, and
sends the information to the Event
D Processor.
Event Processor
database leaf objects
Processes events collected from one or
The end point objects in a hierarchy. At
more Event Collectors. The events are
each point in the hierarchy above this
bundled once again to conserve network
point there is a parent object that contains
usage. When received, the Event
the aggregate values of all of the leaf
Processor correlates the information from
objects below.

214 QRadar Log Manager Administration Guide

QRadar and distributed to the Company A hierarchy has a department
appropriate area, depending on the type object that contains a marketing object.
of event. Therefore, the FQNN is
CompanyA.Department.Marketing.
F FQDN
See Fully Qualified Domain Name
false positive
When an event is tuned as false positive, .
the event no longer contributes to custom FQNN
rules, therefore, offenses do not generate See Fully Qualified Network Name.
based on the false positive event. The
event is still stored in the database and
contributes to reports. G
flow Communication session between two gateway
hosts. Describes how traffic is A device that communicates with two
communicated, what was communicated protocols and translates services between
(if content capture option has been them.
selected), and includes such details as
when, who, how much, protocols,
priorities, or options.
H
flow data HA See High Availability
Specific properties of a flow including: IP .
addresses, ports, protocol, bytes, packets,
flags, direction, application ID, and HA cluster
payload data (optional). An HA cluster consists of a primary HA
host and a secondary HA host that
flow logs behaves as a standby for the primary.
Record of flows that enables the system to
understand the context of a particular Hash-Based Message Authentication Code
transmission over the network. Flows are (HMAC)
stored in flow logs. A cryptographic code that uses a cryptic
hash function and a secret key.
flow sources
Source of flows that the QFlow Collector High Availability
receives. Using the deployment editor, The High Availability (HA) feature
you can add internal and external flow ensures availability of QRadar data in the
sources from either the System or Event event of a hardware or network failure.
Views in the deployment editor. An HA cluster consists of a primary host
and a secondary host that acts as a
forwarding destination standby for the primary. The secondary
QRadar allows you to forward raw log host maintains the same data as the
data received from log sources and primary host by one of two methods: data
QRadar-normalized event data to one or replication or shared external storage. At
more vendor systems, such as ticketing or regular intervals, every 10 seconds by
alerting systems. On the QRadar user default, the secondary host sends a
interface, these vendor systems are called heartbeat ping to the primary host to
forwarding destinations. detect hardware and network failure. If
Fully Qualified Domain Name (FQDN) the secondary host detects a failure, the
The portion of an Internet Uniform secondary host automatically assumes all
Resource Locator (URL) that fully responsibilities of the primary host.
identifies the server program that an HMAC
Internet request is addressed to. See Hash-based Message Authentication
Fully Qualified Network Name (FQNN) Code (HMAC).
Full path name of a certain point in the
network hierarchy. For example,

Glossary 215
Host Context IP Multicast
Monitors all QRadar components to IP Multicast reduces traffic on a network
ensure that each component is operating by delivering a single stream of
as expected. information to multiple users at one time.
IP network
I A group of IP routers that route IP
datagrams. These routers are sometimes
ICMP See Internet Control Message Protocol. referred to as Internet gateways. Users
identity access the IP network from a host. Each
QRadar collects identity information, if network in the Internet includes some
available, from log source messages. combination of hosts and IP routers.
Identity information provides additional IPS See Intrusion Prevention System.
details about assets on your network. Log
sources only generate identity information item A Dashboard option that creates a
if the log message sent to QRadar customized portal that displays any
contains an IP address and at least one of permissible view for monitoring
the following items: user name or MAC purposes.
address. Not all log sources generate
identity information. L
IDS See Intrusion Detection System.
L2L See Local To Local.
Internet Control Message Protocol (ICMP)
L2R See Local To Remote.
An Internet network-layer protocol
between a host and gateway. LAN See Local Area Network.
Internet Protocol (IP) LDAP See Lightweight Directory Access
The method or protocol by which data is Protocol.
sent from one computer to another on the
leaves Children or objects which are part of a
Internet. Each computer (known as a
parent group.
host) on the Internet has at least one IP
address that uniquely identifies it from all Lightweight Directory Access Protocol (LDAP)
other systems on the Internet. An IP A set of protocols for accessing
address includes a network address and a information directories. LDAP is based on
host address. An IP address can also be the standards contained within the X.500
divided by using classless addressing or standard, but is significantly simpler. And
subnetting. unlike X.500, LDAP supports TCP/IP,
which is necessary for any type of
Internet Service Provider (ISP)
Internet access to a directory server.
An Internet Service Provider (ISP)
provides users access to the Internet and Local Area Network (LAN)
other related services. A non-public data network in which serial
transmission is used for direct data
interval
communication among data stations
The default time period in the system.
located on the user's premises.
Affects the update intervals of the graphs
and how much time each flow log file Local To Local (L2L)
contains. Internal traffic from one local network to
another local network.
Intrusion Detection System (IDS)
An application or device that identifies Local To Remote (L2R)
suspicious activity on the network. Internal traffic from a local network to a
remote network.
Intrusion Prevention System (IPS)
Application that reacts to network log source
intrusions. Log sources are external event log sources
such as security equipment (for example,
IP See Internet Protocol.

216 QRadar Log Manager Administration Guide

firewalls and IDSs) and network network layer
equipment (for example, switches and Layer 3 in the Open System
routers). Interconnection (OSI) architecture; the
layer that establishes a path between open
systems.
M
network objects
magistrate Components of your network hierarchy.
Provides the core processing components You can add layers to the hierarchy by
of the SIEM option. The magistrate adding additional network objects and
provides reports, alerts, and analysis of associating them to already defined
network traffic and security events. The objects. Objects that contain other objects
magistrate processes the event against the are called groups.
defined custom rules to create an offense.
network weight
magnitude The numeric value applied to each
Specifies the relative importance of the network that signifies the importance of
offense and is a weighted value calculated the network. The network weight is user
from the Relevance, Severity, and defined.
Credibility. The magnitude bar on the
Offenses tab and Dashboard provides a
visual representation of all correlated O
variables of the offense, source,
offense
destination, or network. The magnitude of
A message sent or event generated in
an offense is determined by several tests
response to a monitored condition. For
that performed on an offense every time
example, an offense informs you if a
it has been scheduled for re-evaluation,
policy has been breached or the network
typically because events have been added
is under attack.
or the minimum time for scheduling has
occurred. Off-site Source
An off-site device that forwards
normalized data to an Event Collector.
N You can configure an off-site source to
NAT See Network Address Translation (NAT). receive flows or events and allow the data
to be encrypted before forwarding.
NetFlow
A proprietary accounting technology Off-site Target
developed by Cisco Systems® Inc. that An off-site device that receives event or
monitors traffic flows through a switch or flow data. An off-site target can only
router, interprets the client, server, receive data from an Event Collector.
protocol, and port used, counts the Open Systems Interconnection (OSI)
number of bytes and packets, and sends A framework of ISO standards for
that data to a NetFlow collector. You can communication between different systems
configure QRadar to accept NDE's and made by different vendors, in which the
thus become a NetFlow collector. communications process is organized into
Network Address Translation (NAT) seven different categories that are placed
NAT translates an IP address in one in a layered sequence based on their
network to a different IP address in relationship to the user. Each layer uses
another network. the layer immediately below it and
provides a service to the layer above.
network hierarchy Layers 7 through 4 deal with end-to-end
Contains each component of your communication between the message
network, and identifies which objects source and destination, and layers 3
belong within other objects. The accuracy through 1 deal with network functions.
and completeness of this hierarchy is
essential to traffic analysis functions. The OSI The actual application data, excluding any
network hierarchy provides for storage of header or administrative information,
flow logs, databases, and TopN files. contained in an IP flow.

Glossary 217
OSVDB R2R See Remote To Remote.
Open Source Vulnerability Database
refresh timer
(OSVDB) is an open source database
The Dashboard, Log Activity, and
created for and by the network security
Network Activity tabs feature a dynamic
community. The database provides
status bar that displays the amount of
technical information on network security
time until the current network activity
vulnerabilities.
data is automatically refreshed; built-in
refresh can be manually refreshed at any
P time.

Packeteer relevance
Packeteer devices collect, aggregate, and Relevance determines the impact on your
store network performance data. When network of an event, category, or offense.
you configure an external flow source for For example, if a certain port is open, the
Packeteer, you can send flow information relevance is high.
from a Packeteer device to QRadar. Remote To Local (R2L)
payload data External traffic from a remote network to
The actual application data, excluding any a local network.
header or administrative information, Remote To Remote (R2R)
contained in an IP flow. External traffic from a remote network to
primary HA host another remote network.
In an HA cluster, the primary HA host is reports
the host to which you want to add HA A function that creates executive or
protection. You can configure HA for any operational level charting representations
system (Console or non-Console) in your of network activity based on time,
deployment. When you configure HA, the sources, offenses, security, and events.
IP address of the primary HA host
becomes the Cluster Virtual IP address; report interval
therefore, you must configure a new IP A configurable time interval at which the
address for the primary host. Event Processor must send all captured
event and flow data to the Console.
protocol
A set of rules and formats that determines routing rules
the communication behavior of layer Collection of conditions and consequent
entities in the performance of the layer routing that are performed when event
functions. It might still require an data matches each rule.
authorization exchange with a policy rule Collection of conditions and consequent
module or external policy server before actions. You can configure rules to capture
admission. and respond to specific event sequences.
The rules allow you to detect specific,
Q specialized events and forward
notifications to either the Offenses tab or
QFlow Collector log file, or email a user.
Collects data from devices and various
live or recorded data feeds, such as,
network taps, span/mirror ports, S
NetFlow, and QRadar flow logs. secondary HA host
QID QRadar Identifier. A mapping of a single In an HA cluster, the secondary HA host
event of an external device to a unique is the standby for the primary host. If the
identifier. primary HA host fails, the secondary HA
host automatically assumes all
responsibilities of the primary HA host.
R
severity
R2L See Remote To Local. Indicates the amount of threat a source

218 QRadar Log Manager Administration Guide

poses in relation to how prepared the superflows
destination is for the attack. This value is Multiple flows with the same properties
mapped to an event category in the QID are combined into one flow to increase
map that is correlated to the offense. processing by reducing storage.
Simple Network Management Protocol (SNMP) System Time
A network management protocol used to The right corner of the user interface
monitor IP routers, other network devices, displays System time, which is the time
and the networks to which they attach. on the Console. This is the time that
determines the time of events and
SNMP
offenses.
See Simple Network Management
Protocol. System View
Allows you to assign software
selection-based setSOAP
components, such as a QFlow Collector,
See Simple Object Access Protocol.
to systems (managed hosts) in your
standby system deployment. The System View includes
In an HA cluster, the standby system is all managed hosts in your deployment. A
the host that is acting as standby for the managed host is a system in your
active system. Only the secondary HA deployment that has QRadar software
host can be the standby system. The installed.
standby system has no services running.
If disk replication is enabled, the standby
system is replicating data from the active
T
system. If the active system fails, the TACACS
standby system automatically assumes the An action performed by an agent if the
active role. event status meets the task execution
subnet rules. For example, an agent can send an
A network subdivided into networks or email, publish a news item, or run a
subnets. When subnetting is used, the report.Terminal Access Controller Access
host portion of the IP address is divided Control System (TACACS) is an
into a subnet number and a host number. authentication protocol that allows remote
Hosts and routers identify the bits used server access to forward a user logon
for the network and subnet number password to an authentication server to
through the use of a subnet mask. determine whether access can be allowed
to a given system. TACACS+ uses TCP
subnet mask
A bit mask that is logically ANDed with TCP See Transmission Control Protocol.
the destination IP address of an IP packet TCP flags
to determine the network address. A A type of marker that can be added to a
router routes packets using the network packet to alert the system of abnormal
address. activity. Only a few specific combinations
sub-search of flags are valid and typical, in normal
Allows you to perform searches within a traffic. Abnormal combinations of flags
set of completed search results. The often indicate an attack or an abnormal
sub-search function allows you to refine network condition.
your search results without requiring you TCP resets
to search the database again. For TCP-based applications, QRadar can
strategy map issue a TCP reset to either the client or
In Metric Studio, a visual representation server in a conversation. This stops the
of the strategy and the objectives of that communications between the client and
strategy for an organization. For example, the server.
a strategy map may show employees how Time series
their jobs are aligned to the overall A chart type that graphs data based on
objectives of the organization.

Glossary 219
time. This chart focuses on the networks
or IP address data information from the
selected networks.
TopN Displays the top N networks or IP
address information for the data you are
viewing. For example, using the chart
feature, you can display the top five
networks generating traffic in the U.S.
Transmission Control Protocol (TCP)
A reliable stream service that operates at
the transport-layer Internet protocol,
which ensures successful end-to-end
delivery of data packets without error.

V
violation
Includes a violation of corporate policy.

W
Whois Allows you to look up information about
registered Internet names and numbers.

220 QRadar Log Manager Administration Guide

Index
A CRE category
custom rule event
event category correlation
access category 160
about 5 See CRE application category 179
access category description 174 audit category 199
description 160 create 8 authentication category 154
accumulator create user information source 46 CRE category 174
configuring 115 creating 6, 46 DoS category 151
description 103 creating a new store and forward exploit category
active directory 12 schedule 132 description 162
admin tab creating account 11 high-level categories 149
using 1 custom rules malware category 164
Admin tab 1 event forwarding 127 policy category 172
aggregated data views CVS file potential exploit category 174
deleting 4 requirements 85 recon category 150
disabling 4 SIM Audit events category 178
enabling 4 suspicious category 165
managing 4
application category D system category 168
unknown category 173
description 179 data
User Defined category 176
audit category masking
Event Collector
description 199 See obfuscation
about 105
audit log obfuscation
configuring 118
viewing 143 configuring 138
event forwarding
audit log file decrypting 141
configuring 125
logged actions 144 description 135
custom rules 127
audit logs generating a private/public key
Event Processor
description 143 pair 137
about 105
authentication 12, 14, 15, 16 process 135
configuring 119
authentication category restoring 100
event retention
description 154 data obfuscation 135
configuring 71
automatic update 56 deleting 7, 48
managing 74
about 54 deleting a security profile 10
sequencing 74
scheduling 58 deleting a store and forward
event view
autoupdate log 60 schedule 133
adding components 106
deleting backup archives 92
building 105
deploying changes 2
description 103
B deployment editor
configuring editor preferences 104
renaming components 109
backing up your information 92 events
creating your deployment 105
backup and recovery storing and forwarding 129
description 103
about 91 storing and forwarding events 129
event view 105
deleting backup archives 92 exploit category 162
QRadar components 118
importing backup archives 92 export system details 34
requirements 103, 105
initiating backup 95 exporting 31
system view 110
restoring configuration device access 35
information 95 device management 37
scheduling backups 93 disabling account 12 F
viewing backup archive 91 DoS category firewall access 35
description 151 forwarding destinations
duplicating a security profile 10 adding 123
C managing 124
changes forwarding normalized events 108
deploying 2 E
changing 37 edit 9
commands editing 6, 48 G
description 86 editing a store and forward glossary 213
components 118 schedule 133
configuration 41 editing account 11
configuring 14, 15, 16, 44
console settings 76
encryption 110
event categories
H
hidden updates 59
description 149

high-level categories
description 149
O restoring (continued)
troubleshooting restored data 100
host obfuscation restoring configuration information 95
adding 111 data different IP address 97
host context 113 decrypting 141 same IP address 96
description 103 description 135 retention buckets 71
process 135 retrieving 47
obfuscation_expressions.xml reverting a license allocation 30
configuring the obfuscation expression
I file 138
roles 5, 6, 7
routing options
importing backup archives 92 obfuscation_updater.sh configuring 127
index management 78 configuring obfuscation 138 routing rules
initiating a backup 95 off-site source 108 editing 127
integration workflow 43 off-site target 108 rules
interface roles 37 overview 41, 135 about 81
introduction ix

L P S
parameters scheduling your backup 93
LDAP or active directory 12 description 86 security profile 5, 8, 9, 10
license passwords 37 Security profile parameters 21
allocating 29 policy category security profiles 7
license allocation 30 description 172 setting-up 36
license details ports shutting down 34
viewing 31 searching 212 shutting down system 34
license key 28, 29, 31 portsusage 205 SIM Audit category 178
license management 23 potential exploit category source
licenses description 174 off-site 108
allocating 33
SSL certificate
list of licenses 32
configuring 17
logged actions
audit log file 144
Q store and forward
QRadar SIEM components 118 creating a new schedule 132
deleting a schedule 133
editing a schedule 133
M R viewing the schedule list 129
Magistrate store user information 49
configuring 121 RADIUS 12 suspicious category
malware category RADIUS authentication 12 description 165
description 164 RDATE 38 syslog
managed host 36 recon category forwarding 123
adding 111 description 150 system 12, 33, 34
assigning components 113 reference data collection 42 system and license management 34
editing 112 creating 86 system authentication 12
removing 113 overview 85 system category
management task overview 43 reference map description 168
managing 5, 11, 28, 46 description 85 system details 32
masking reference map of maps system management 23, 32
See obfuscation description 85 system settings 62
reference map of sets system setup 34
description 85 system time 38
reference sets 81
N adding 81
system view
adding a host 111
NAT adding elements 83 assigning components 113
adding 116 deleting 82 description 103
editing 117 deleting elements 83 Host Context 113
enabling 112 exporting elements 84 managed host 113
removing 117 importing elements 84 managing 110
using with QRadar 116 viewing 81
Net-SNMP 3 viewing contents 82
Network Address Translation. reference table
See See NAT description 85 T
network administrator ix restarting 33 TACACS 12
network hierarchy 54 restarting system 33 TACACS authentication 12
creating 51 restored data target
verifying 100 encryption 108
restoring off-site 108
data 100 thresholds 74

222 QRadar Log Manager Administration Guide

time server configuration 38
Tivoli Directory Integrator server 41, 44
TLS certificate
configuring 17
troubleshooting
restored data 100

U
undo license allocation 30
unknown category
description 173
update 3
update history 59
updates
scheduling 58
upload 29
user 12
user accounts 11
User Defined category
description 176
user details
user 3
User Details window 22
user information 42, 49
user information source 43, 46
user information sources 41, 46, 47, 48
user interface 1
user management 5, 21
user management window
parameters 21
user management window toolbar 21
user role 5
user role management 17
user roles 5
users 5, 11, 12

V
viewing backup archives 91
viewing the schedule list 129

W
web browsers
supported versions 1

Index 223
224 QRadar Log Manager Administration Guide
Notices
This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information,

contact the IBM Intellectual Property Department in your country or send
inquiries, in writing, to:

Intellectual Property Licensing

Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.

This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:

IBM Corporation
170 Tracer Lane,
Waltham MA 02451, USA

Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.

The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.

This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and color
illustrations may not appear.

Trademarks
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other countries,
or both. If these and other IBM trademarked terms are marked on their first
occurrence in this information with a trademark symbol (® or ™), these symbols

226 QRadar Log Manager Administration Guide

indicate U.S. registered or common law trademarks owned by IBM at the time this
information was published. Such trademarks may also be registered or common
law trademarks in other countries. A current list of IBM trademarks is available on
the Web at Copyright and trademark information (www.ibm.com/legal/
copytrade.shtml).

Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Linux is a trademark of Linus Torvalds in the United States, other countries, or

both.

Microsoft, Windows NT, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.

Other company, product, and service names may be trademarks or service marks
of others.

Privacy policy considerations

IBM Software products, including software as a service solutions, (“Software
Offerings”) may use cookies or other technologies to collect product usage
information, to help improve the end user experience, to tailor interactions with
the end user or for other purposes. In many cases no personally identifiable
information is collected by the Software Offerings. Some of our Software Offerings
can help enable you to collect personally identifiable information. If this Software
Offering uses cookies to collect personally identifiable information, specific
information about this offering’s use of cookies is set forth below.

Depending upon the configurations deployed, this Software Offering may use
session cookies that collect each user’s session id for purposes of session
management and authentication. These cookies can be disabled, but disabling them
will also eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customer
the ability to collect personally identifiable information from end users via cookies
and other technologies, you should seek your own legal advice about any laws
applicable to such data collection, including any requirements for notice and
consent.

For more information about the use of various technologies, including cookies, for
these purposes, See IBM’s Privacy Policy at http://www.ibm.com/privacy and
IBM’s Online Privacy Statement at http://www.ibm.com/privacy/details the
section entitled “Cookies, Web Beacons and Other Technologies” and the “IBM
Software Products and Software-as-a-Service Privacy Statement” at
http://www.ibm.com/software/info/product-privacy.

Notices 227

Trellix System Security Guide Release 2023-1-2025-02!13!10-46-41
No ratings yet
Trellix System Security Guide Release 2023-1-2025-02!13!10-46-41
465 pages
Wireless Home Security System
No ratings yet
Wireless Home Security System
98 pages
Isza 1201
No ratings yet
Isza 1201
144 pages
SMA 83 User Issue3
No ratings yet
SMA 83 User Issue3
810 pages
Tempus - Thingsboard
100% (1)
Tempus - Thingsboard
190 pages
En - Security Center Administrator Guide 5.2
No ratings yet
En - Security Center Administrator Guide 5.2
901 pages
Online Counseling System
75% (24)
Online Counseling System
85 pages
B Qradar Admin Guide
No ratings yet
B Qradar Admin Guide
362 pages
QRadar SIEM Administration Guide
No ratings yet
QRadar SIEM Administration Guide
366 pages
Iit KGP Cse Syllabus
No ratings yet
Iit KGP Cse Syllabus
47 pages
Mcafee Enterprise Security Manager 11.1.x Product Guide 7-6-2022
No ratings yet
Mcafee Enterprise Security Manager 11.1.x Product Guide 7-6-2022
319 pages
B Qradar Admin Guide PDF
No ratings yet
B Qradar Admin Guide PDF
454 pages
Chapter 1 - General Problem Solving Concept
No ratings yet
Chapter 1 - General Problem Solving Concept
12 pages
Exam 2003 B
No ratings yet
Exam 2003 B
20 pages
Cracking Tutorial
No ratings yet
Cracking Tutorial
13 pages
Questions
40% (5)
Questions
34 pages
SAS® Management Console Guide To Users and Permissions
No ratings yet
SAS® Management Console Guide To Users and Permissions
58 pages
QRadar 72 DSMConfigurationGuide PDF
No ratings yet
QRadar 72 DSMConfigurationGuide PDF
778 pages
QRadar 72 DSMConfigurationGuide PDF
No ratings yet
QRadar 72 DSMConfigurationGuide PDF
778 pages
Qradar 72 User Guide
No ratings yet
Qradar 72 User Guide
358 pages
B Qradar Admin Guide PDF
No ratings yet
B Qradar Admin Guide PDF
304 pages
Enhanced Diagnostic Monitor User's Guide 2.10.0
No ratings yet
Enhanced Diagnostic Monitor User's Guide 2.10.0
246 pages
Creating External Table.
No ratings yet
Creating External Table.
6 pages
VideoXpert Toolbox User Guide
No ratings yet
VideoXpert Toolbox User Guide
21 pages
Manual JAVA POS Datalogic
100% (1)
Manual JAVA POS Datalogic
52 pages
B DSM Guide PDF
No ratings yet
B DSM Guide PDF
230 pages
Logging and Debugging in Nokia (Alcatel-Lucent) SR OS and Cisco IOS XR - Karneliuk
No ratings yet
Logging and Debugging in Nokia (Alcatel-Lucent) SR OS and Cisco IOS XR - Karneliuk
12 pages
RC Admin
No ratings yet
RC Admin
350 pages
BMCKnowledgeManagement90SpacePDF PDF
No ratings yet
BMCKnowledgeManagement90SpacePDF PDF
251 pages
Forms Personalization
No ratings yet
Forms Personalization
18 pages
Aql Flow and Event Query Guide: Ibm Security Qradar
No ratings yet
Aql Flow and Event Query Guide: Ibm Security Qradar
28 pages
Fortigate System Admin 40 Mr3
No ratings yet
Fortigate System Admin 40 Mr3
311 pages
Administration Guide NMC2 R161 Ed03
No ratings yet
Administration Guide NMC2 R161 Ed03
197 pages
(Austin Spencer) Docker The Complete Beginners Gu (B-Ok - Xyz)
No ratings yet
(Austin Spencer) Docker The Complete Beginners Gu (B-Ok - Xyz)
39 pages
"Hospital Management System": Project Report On
No ratings yet
"Hospital Management System": Project Report On
19 pages
621 MX Sag
No ratings yet
621 MX Sag
469 pages
Foundation Admin
No ratings yet
Foundation Admin
160 pages
Pentest Methodologies
No ratings yet
Pentest Methodologies
19 pages
QRadar WinCollect User Guide 7.2.2 en
No ratings yet
QRadar WinCollect User Guide 7.2.2 en
55 pages
Ibm Security Qradar Log Manager Administration Guide
No ratings yet
Ibm Security Qradar Log Manager Administration Guide
237 pages
Dell OpenManage Network Manager User Guide 6.2 SP2
No ratings yet
Dell OpenManage Network Manager User Guide 6.2 SP2
722 pages
Test Plan
No ratings yet
Test Plan
22 pages
Samsung SDS EMM Admin Portal Help v16 - 9 PDF
No ratings yet
Samsung SDS EMM Admin Portal Help v16 - 9 PDF
398 pages
Tomcat Linux
No ratings yet
Tomcat Linux
24 pages
QRadar 72 Troubleshooting System Notifications
No ratings yet
QRadar 72 Troubleshooting System Notifications
66 pages
IBM Qradar Users Guide
No ratings yet
IBM Qradar Users Guide
267 pages
AI Tutors Curiculum PDF
No ratings yet
AI Tutors Curiculum PDF
78 pages
Digital Image Processing MATLAB Notes
No ratings yet
Digital Image Processing MATLAB Notes
26 pages
En - Security Center Administrator Guide 5.2
100% (1)
En - Security Center Administrator Guide 5.2
892 pages
Log Sources User Guide: Ibm Security Qradar
No ratings yet
Log Sources User Guide: Ibm Security Qradar
35 pages
9720107-006 Enhanced Diagnostic Monitor v2.4.0 Users Guide
100% (1)
9720107-006 Enhanced Diagnostic Monitor v2.4.0 Users Guide
210 pages
Barix Instrimer
No ratings yet
Barix Instrimer
50 pages
Barracuda Web Filter AG US
No ratings yet
Barracuda Web Filter AG US
101 pages
2 T 6 WBX CK
100% (1)
2 T 6 WBX CK
16 pages
Getting Started Guide: Ibm Security Qradar Risk Manager
No ratings yet
Getting Started Guide: Ibm Security Qradar Risk Manager
41 pages
Dell SonicWALL E-Class SRA 10.6.2 Admin Guide
No ratings yet
Dell SonicWALL E-Class SRA 10.6.2 Admin Guide
585 pages
SAP JBOSS Course Content: Overview of Java Enterprise Edition
No ratings yet
SAP JBOSS Course Content: Overview of Java Enterprise Edition
5 pages
QNAD 71MR1 AdminGuide
No ratings yet
QNAD 71MR1 AdminGuide
296 pages
Csitnepal: Unit 5 Central Processing Unit (CPU)
No ratings yet
Csitnepal: Unit 5 Central Processing Unit (CPU)
13 pages
SA 9.0 Administration Guide
No ratings yet
SA 9.0 Administration Guide
286 pages
SpiderNet Administrator Guide R2.2 PDF
No ratings yet
SpiderNet Administrator Guide R2.2 PDF
160 pages
Bitdefender GravityZone AdministratorsGuide 1 EnUS
No ratings yet
Bitdefender GravityZone AdministratorsGuide 1 EnUS
261 pages
Iib 10
No ratings yet
Iib 10
2 pages
Configuración para Los Administradores Del Cliente (Only Available in English)
No ratings yet
Configuración para Los Administradores Del Cliente (Only Available in English)
35 pages
Radiator Radius Installation Manual
No ratings yet
Radiator Radius Installation Manual
397 pages
VAX/VMS Complete Study Material
No ratings yet
VAX/VMS Complete Study Material
502 pages
High Availability Guide: Ibm Security Qradar
No ratings yet
High Availability Guide: Ibm Security Qradar
54 pages
Qradar Admin Guide
No ratings yet
Qradar Admin Guide
342 pages
B Wincollect PDF
No ratings yet
B Wincollect PDF
74 pages
RDI Tools User Guide
No ratings yet
RDI Tools User Guide
66 pages
QRadar 71MR2 AdminGuide
No ratings yet
QRadar 71MR2 AdminGuide
316 pages
AdaptiveLogExporterGuide 72 PDF
No ratings yet
AdaptiveLogExporterGuide 72 PDF
124 pages
Offboard Storage Guide: Ibm Security Qradar
No ratings yet
Offboard Storage Guide: Ibm Security Qradar
54 pages
Certification Study Guide IBM Tivoli Access Manager For E-Business 6.0 Sg247202
No ratings yet
Certification Study Guide IBM Tivoli Access Manager For E-Business 6.0 Sg247202
272 pages
71 - System Administrator Guide
No ratings yet
71 - System Administrator Guide
311 pages
IQstor Admin Guide
No ratings yet
IQstor Admin Guide
178 pages
ActivIdentity SecureLogin Single Sign-On Administration Guide
No ratings yet
ActivIdentity SecureLogin Single Sign-On Administration Guide
183 pages
232-001497-00 SonicWALL Aventail v10 0 Installation and Administration Guide
No ratings yet
232-001497-00 SonicWALL Aventail v10 0 Installation and Administration Guide
418 pages
Manual - Netgear ReadyNAS Pro 6 RNDP6000
No ratings yet
Manual - Netgear ReadyNAS Pro 6 RNDP6000
132 pages
Outlook Search Tips PDF
No ratings yet
Outlook Search Tips PDF
7 pages
IBM Qradar Users Guide
No ratings yet
IBM Qradar Users Guide
267 pages
Installation and Upgrade Guide: Access Manager Appliance 4.4
No ratings yet
Installation and Upgrade Guide: Access Manager Appliance 4.4
84 pages
Anti Bot Datasheet
No ratings yet
Anti Bot Datasheet
2 pages
Release Notes PDF
No ratings yet
Release Notes PDF
61 pages
Winsysex
No ratings yet
Winsysex
2 pages
DataPower SOA Appliance Administration Deployment and Best Practices
No ratings yet
DataPower SOA Appliance Administration Deployment and Best Practices
300 pages
ITCAM Userguide
No ratings yet
ITCAM Userguide
232 pages
Jooq-Java Object Oriented Querying
No ratings yet
Jooq-Java Object Oriented Querying
5 pages
Niagara AX Hardening Guide
No ratings yet
Niagara AX Hardening Guide
34 pages
Teamcenter 10.0 Security Services Installation
No ratings yet
Teamcenter 10.0 Security Services Installation
150 pages
Guardian Edge Client Administrator Guide
No ratings yet
Guardian Edge Client Administrator Guide
49 pages
CICS Desk Reference Programs: Program Files and Mapsets
No ratings yet
CICS Desk Reference Programs: Program Files and Mapsets
2 pages
TPAM Approver Guide
No ratings yet
TPAM Approver Guide
42 pages
Fortiauthenticator Admin 12
No ratings yet
Fortiauthenticator Admin 12
46 pages
B DSM Guide PDF
No ratings yet
B DSM Guide PDF
230 pages
CustomizeRightClick PDF
No ratings yet
CustomizeRightClick PDF
10 pages
AQLQueryCLIGuide 72 PDF
No ratings yet
AQLQueryCLIGuide 72 PDF
28 pages
Idirect Security Best Practices Technical Note
No ratings yet
Idirect Security Best Practices Technical Note
12 pages