Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

IBM Security Network IPS (GX)

 

The IBM Security Network IPS (GX) DSM for IBM Security JSA collects LEEF-based events from IBM Security Network IPS appliances by using the syslog protocol.

The following table identifies the specifications for the IBM Security Network IPS (GX) DSM:

Parameter

Value

Manufacturer

IBM

DSM

Security Network IPS (GX)

RPM file name

DSM-IBMSecurityNetworkIPS-JSA_version-Build_number.noarch.rpm

Supported versions

v4.6 and later (UDP)

v4.6.2 and later (TCP)

Protocol

syslog (LEEF)

JSA recorded events

Security alerts (including IPS and SNORT)

Health alerts

System alerts

IPS events (Including security, connection, user defined, and OpenSignature policy events)

Automatically discovered?

Yes

Includes identity?

No

To integrate the IBM Security Network IPS (GX) appliance with JSA, use the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the IBM Security Network IPS (GX) RPMs on your JSA Console.

  2. For each instance of IBM Security Network IPS (GX), configure your IBM Security Network IPS (GX) appliance to enable communication with JSA.

  3. If JSA does not automatically discover the log source, create a log source for each instance of IBM Security Network IPS (GX) on your network.

Configuring Your IBM Security Network IPS (GX) Appliance for Communication with JSA

To collect events with JSA, you must configure your IBM Security Network IPS (GX) appliance to enable syslog forwarding of LEEF events.

Ensure that no firewall rules block the communication between your IBM Security Network IPS (GX) appliance and JSA.

  1. Log in to your IPS Local Management Interface.
  2. From the navigation menu, select Manage System Settings >Appliance >LEEF Log Forwarding.
  3. Select the Enable Local Log check box.
  4. In the Maximum File Size field, configure the maximum file size for your LEEF log file.
  5. From the Remote Syslog Servers pane, select the Enable check box.
  6. In the Syslog Server IP/Host field, type the IP address of your JSA console or Event Collector.
  7. In the TCP Port field, type 514 as the port for forwarding LEEF log events.Note

    If you use v4.6.1 or earlier, use the UDP Port field.

  8. From the event type list, enable any event types that are forwarded to JSA.
  9. If you use a TCP port, configure the crm.leef.fullavp tuning parameter:
    1. From the navigation menu, select Manage System Settings >Appliance >Tuning Parameters.

    2. Click Add Tuning Parameters.

    3. In the Name field, type crm.leef.fullavp.

    4. In the Value field, type true.

    5. Click OK.

Configuring an IBM Security Network IPS (GX) Log Source in JSA

JSA automatically discovers and creates a log source for syslog events from IBM Security Network IPS (GX) appliances. However, you can manually create a log source for JSA to receive syslog events.

  1. Click the Admin tab.
  2. Click the Log Sources icon.
  3. Click Add.
  4. In the Log Source Name field, type a name for your log source.
  5. From the Log Source Type list, select IBM Security Network IPS (GX).
  6. Using the Protocol Configuration list, select Syslog.
  7. Configure the parameters:

    Parameter

    Description

    Log Source Identifier

    The IP address or host name for the log source as an identifier for events from your IBM Security Network IPS (GX) appliance.

    Credibility

    The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event.

    Coalescing Events

    Enables the log source to coalesce (bundle) events.

    Incoming Event Payload

    The incoming payload encoder for parsing and storing the logs.

  8. Click Save.
  9. On the Admin tab, click Deploy Changes.