Date: August 2023

Version: 1.0

Level 4 - Deployment
Sending Guardium events to QRadar SIEM

Guardium Data Protection

Contributors:

Tansel Zenginler
Principal, Learning Content Development
IBM Learning: Security

Dawn LaPides
Senior, Learning Content Development
IBM Learning: Security
August 2023 edition

NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information
on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that
only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual
property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or
service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant
you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL
BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will
be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an endorsement of those
websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples
include the names of individuals, companies, brands, and products. All names and references for organizations and other business institutions used in this
deliverable’s scenarios are fictional. Any match with real organizations or institutions is coincidental. All names and associated information for people in
this deliverable’s scenarios are fictional. Any match with a real person is coincidental.

TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at
“Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United
States, and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on
a world­wide basis.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware vSphere are registered
trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
Red Hat®, JBoss®, OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are trademarks or registered
trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.
© Copyright International Business Machines Corporation 2023.
This document may not be reproduced in whole or in part without the prior written permission from IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

2
Table of Contents
1 Introduction ........................................................................................................................ 4
2 Create a log source for Guardium events ........................................................................ 5
3 Configure Guardium to send events to QRadar ............................................................ 11
3.1 Create and install a policy .................................................................................................. 11
3.2 Verify that the Alerter service is running ............................................................................. 19
3.3 Send Guardium syslog to QRadar SIEM ............................................................................ 21
3.4 Review policy violations ..................................................................................................... 23
4 Summary .......................................................................................................................... 28
Appendix A. Integrating with SIEMs ................................................................................... 29

3
1 Introduction
This guide provides the high-level steps necessary to integrate IBM Security® Guardium® Data
Protection (Guardium) with the IBM Security® QRadar® Security Information and Event
Management (SIEM) console. QRadar SIEM collects logs from various devices in the enterprise
networks.
Users and applications run SQL commands on a database server. The database server hosts a
Guardium S-TAP agent, which reports database activity to Guardium. Guardium uses policies to
evaluate the database activity. If the database activity meets certain criteria, the policies contain
rules to trigger actions. One possible action is to send an alert. By configuring Guardium to send an
alert to QRadar and configuring QRadar to receive alerts from Guardium, information about
database activity is displayed on the QRadar Console.

This guide documents how to configure the following integration processes:

• Configure QRadar to accept Guardium log files
• Configure Guardium to send alerts to QRadar SIEM

Note: This document focuses on the steps required to forward Guardium alerts to QRadar
SIEM.

4
2 Create a log source for Guardium events
This procedure documents how to configure QRadar to receive Guardium log files.
1. Log in to QRadar SIEM interface.

2. In the QRadar Console header, select the Admin tab and click Data Sources.

5
3. On the Data Source pane, click Log Sources.

A new browser tab displays the IBM QRadar Log Source Management window.

6
4. Click Log Sources.

The QRadar Log source Management window opens.

5. Click the New Log Source menu and select +Quick Log Source.

The Add a Log Source dialog opens.

6. On the Overview tab, add the Name and Description.

7. In Log Source Type, type Guardium to filter the selections. Then, choose Guardium.

7
8. For Protocol Type, leave the default, Syslog.

9. Click the Protocol tab.

If the Log Source Identifier is not properly configured, QRadar will not display the events
correctly. You must find the log source identifier in the GUI of the Guardium collector that sends
events to QRadar.
10. To find the log source identifier, log in to Guardium and navigate to Setup > Tools and Views,
then page down and select System.

8
 The System Configuration window opens.

11. Copy the System Hostname. This value is the log source identifier.
12. Return to QRadar and in the Log Source Identifier field, paste the Guardium System Hostname.
13. Click Create.

The dialog closes and the Log Source Management window shows the new log source.

9
14. Click the QRadar Admin tab and notice the undeployed changes.

15. Click Deploy Changes.

16. The message updates to show that there are no changes to deploy.

Now, QRadar is configured to accept events from Guardium.

10
3 Configure Guardium to send events to QRadar
Configuring Guardium to send events to QRadar includes the following tasks:
• Create and install a policy
• Verify that the Alerter service is running
• Send Guardium syslog to QRadar SIEM
• Review policy violations

3.1 Create and install a policy

Use this task to create and install a Guardium policy that can send systog messages. Use these steps
to create a policy that will send syslog messages.
1. Navigate to Protect > Security Policies > Policy Builder for Data.

2. Select the PCI template and click Clone.

The Create New Policy pane opens.

There are many ways to create a Guardium policy that sends events to QRadar SIEM. This
procedure documents one example of how a policy might be configured. This procedure clones
the PCI report and makes changes to it.

11
3. Name the policy. This scenario uses the name Demo QRadar Policy.

4. For Category, select PCI.

5. Click Rules and expand the rules.

6. Select all the rules except for rules 1, 9, and 17 and click Remove.

7. Close the confirmation dialog.

The policy now includes 3 rules.

12
8. Select the first rule, Exception Rule: Fail Login – Log Violation, and click Edit.

9. Expand Rule criteria.

10. For Session level criteria, change the Server IP Address filter to PCI Authorized Server IPs.

11. Expand Rule action.

12. To add a new rule action, click Add Action and select Alert > Alert Per Match.

13
 The Add New Action pane opens.

13. For Message Template, select LEEF.

14. For Notification Type, select SYSLOG.

15. Click OK.

The rule actions must send alerts to the syslog file. QRadar uses the log event extended format
(LEEF) template to parse the data, therefore the alert in this example must use the LEEF
template.

14
16. To save the change for the first rule, click OK.

17. Select the second rule, Access: Suspicious Users, Cardholder Objects – Log Info, and click
Edit.

18. Expand Rule criteria.

19. For Session level criteria, change the Server IP Address filter to PCI Authorized Server IPs.

20. To add a new rule action, click Add Action and select Alert > Alert Per Match.
The Add New Action pane opens.

15
21. For Message Template, select LEEF.

22. For Notification Type, select SYSLOG.

23. Click OK.

24. To save the change for the second rule, click OK.

25. Select the third rule, Extrusion: Credit Card numbers. Unauthorized Users – Log Violation
and click Edit.

26. Expand Rule criteria.

16
27. For Session level criteria, change the Server IP Address filter to PCI Authorized Server IPs.

28. To add a new rule action, click Add Action and select Alert > Alert Per Match.
The Add New Action pane opens.

17
29. For Message Template, select LEEF.

30. For Notification Type, select SYSLOG.

31. Click OK.

32. To save the change for the third rule, click OK.

33. On the Security Policies page, make sure that the Demo QRadar Policy is selected.

34. To install the policy, from the Install menu, select Install.

35. In the Install policy window, select Install and override and click OK.

36. Click OK and close the confirmation message.

The Security policies pane shows that the policy is installed, and the “Last Installed” column is
updated.

18
3.2 Verify that the Alerter service is running
For Guardium to send email messages, SNMP traps, and alert-relates syslog messages, the Alerter
must be active. Use these steps to verify that the Alerter is running.
1. To verify that the Alerter is running, navigate to Setup > Tools and Views > Alerter.

The Alerter dialog opens.

19
2. Verify that the Alerter is running. If the Alerter is not Active, select Active on startup and click
Restart

3. Close the Alerter dialog.

Now, Guardium can send events to QRadar.

20
3.3 Send Guardium syslog to QRadar SIEM
To configure the Guardium collector to send syslog to a remote server, use the Guardium Command
Line Interface (CLI).
1. On the database server, start a terminal window.
2. To gain access to the CLI command prompt, use the command ssh cli@<database
server IP address> and password <password for the database server>.

During initial login, you might be prompted to change your password.

3. Following a successful login, the CLI prompt opens.

21
4. To verify the configuration, type the following command and press Enter:

show remotelog host

5. To forward all info, warning, error and alert types of messages to a remote server, type the
following command:

store remotelog add non_encrypted daemon.all <QRadar SIEM IP address>

udp

6. To forward specific types of messages, use these commands:

store remotelog add non_encrypted daemon.info <QRadar SIEM IP address>

udp

store remotelog add non_encrypted daemon.warning <QRadar SIEM IP

address> udp

store remotelog add non_encrypted daemon.err <QRadar SIEM IP address>

udp

store remotelog add non_encrypted daemon.alert <QRadar SIEM IP

address> udp

22
7. To send alert messages from File Activity Monitoring, use the following command to forward the
messages to syslog:

store remotelog add non_encrypted user.all <QRadar SIEM IP address>

udp

Note: At this point in the process, generate some traffic that triggers a Guardium alert. This
example reflects a login failure, a suspicious user, and unauthorized users scanning for
credit card numbers.

8. To end the session, type the following command and press Enter:

exit

3.4 Review policy violations

Use these steps to validate that policy violations are triggered in Guardium. These violations are
sent to QRadar SIEM.
1. To verify that a policy violation is triggered in Guardium, navigate to Comply > Reports >
Incident Management.

23
2. Verify that the Policy Violation/Incident Management report lists policy violations.

3. To verify that alerts were sent to syslog, return to the Guardium console.
4. In the search bar, type Alert Messages and select the report.

24
5. Scroll to the Alert Messages report and verify that the syslog messages are listed.

6. To view the policy violations in QRadar SIEM, log in to QRadar SIEM.

7. Select the Log Activity tab.

25
8. In the Quick Search drop down, select Guardium Data Protection Events.

9. Open the report.

10. If there are no logs in the real time window, change the View to Last 5 minutes.

26
11. Review the report.

12. To view the information associated an event, double-click an Event Name.

The Event Information pane opens.

13. Page down to view the payload, Custom Rules that were applied to the event, the
Annotations that describe how QRadar adjusted the relevance of the event, and identity
information.

Guardium and QRadar SIEM are integrated.

27
4 Summary
In this document, you learned how to:
• Create a log source in QRadar SIEM to receive Guardium events
• Configure Guardium to send events to QRadar SIEM

28
Appendix A. Integrating with SIEMs
Guardium can send events to multiple SIEM systems.

Guardium severity Syslog priority

Info info

Low warning

Med err

High alert

Syslog can be mapped in the following manner:

• Info and low alerts to go to IP address #1
• Medium alerts to go to IP address #2
• High alerts to go to IP address #3
This is an example:
store remotelog add encrypted all.info 10.70.147.100 udp ===> info
store remotelog add encrypted all.warning 10.70.147.100 udp ===> low
store remotelog add encrypted all.err 10.70.147.76 udp ===> med
store remotelog add encrypted all.alert 10.70.147.73 udp ===> high

Note: Messages can send the full SQL with masked values. To do so, open the Setup >
Tools and Views > Global Profile > Alert Message template. Change the template from
%%SQLString to %%SQLNoValue, and Save the template.

29