IBM Security Network IPS (GX)
The IBM Security Network IPS (GX) DSM for IBM Security JSA collects LEEF-based events from IBM Security Network IPS appliances by using the syslog protocol.
The following table identifies the specifications for the IBM Security Network IPS (GX) DSM:
Security Network IPS (GX)
RPM file name
v4.6 and later (UDP)
v4.6.2 and later (TCP)
JSA recorded events
Security alerts (including IPS and SNORT)
IPS events (Including security, connection, user defined, and OpenSignature policy events)
To integrate the IBM Security Network IPS (GX) appliance with JSA, use the following steps:
If automatic updates are not enabled, download and install the most recent version of the IBM Security Network IPS (GX) RPMs on your JSA Console.
For each instance of IBM Security Network IPS (GX), configure your IBM Security Network IPS (GX) appliance to enable communication with JSA.
If JSA does not automatically discover the log source, create a log source for each instance of IBM Security Network IPS (GX) on your network.
Configuring Your IBM Security Network IPS (GX) Appliance for Communication with JSA
To collect events with JSA, you must configure your IBM Security Network IPS (GX) appliance to enable syslog forwarding of LEEF events.
Ensure that no firewall rules block the communication between your IBM Security Network IPS (GX) appliance and JSA.
- Log in to your IPS Local Management Interface.
- From the navigation menu, select Manage System Settings >Appliance >LEEF Log Forwarding.
- Select the Enable Local Log check box.
- In the Maximum File Size field, configure the maximum file size for your LEEF log file.
- From the Remote Syslog Servers pane, select the Enable check box.
- In the Syslog Server IP/Host field, type the IP address of your JSA console or Event Collector.
- In the TCP Port field, type 514 as the port for forwarding LEEF log events.
If you use v4.6.1 or earlier, use the UDP Port field.
- From the event type list, enable any event types that are forwarded to JSA.
- If you use a TCP port, configure the crm.leef.fullavp tuning parameter:
From the navigation menu, select Manage System Settings >Appliance >Tuning Parameters.
Click Add Tuning Parameters.
In the Name field, type crm.leef.fullavp.
In the Value field, type true.
Configuring an IBM Security Network IPS (GX) Log Source in JSA
JSA automatically discovers and creates a log source for syslog events from IBM Security Network IPS (GX) appliances. However, you can manually create a log source for JSA to receive syslog events.
- Click the Admin tab.
- Click the Log Sources icon.
- Click Add.
- In the Log Source Name field, type a name for your log source.
- From the Log Source Type list, select IBM Security Network IPS (GX).
- Using the Protocol Configuration list, select Syslog.
- Configure the parameters:
Log Source Identifier
The IP address or host name for the log source as an identifier for events from your IBM Security Network IPS (GX) appliance.
The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event.
Enables the log source to coalesce (bundle) events.
Incoming Event Payload
The incoming payload encoder for parsing and storing the logs.
- Click Save.
- On the Admin tab, click Deploy Changes.