Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

IBM Security Network Security (XGS)


The IBM Security Network Security (XGS) DSM accepts events by using the Log Enhanced Event Protocol (LEEF), which enables JSA to record all relevant events.

The following table identifies the specifications for the IBM Security Network Security (XGS) DSM:

Table 1: IBM Security Network Security (XGS) Specifications






Security Network Security (XGS)

RPM file name


Supported versions

v5.0 with fixpack 7 to v5.4


syslog (LEEF)

JSA recorded events

All relevant system, access, and security events

Automatically discovered


Includes identity


More information

Before you configure an Network Security Security (XGS) appliance in JSA, you must configure remote syslog alerts for your IBM Security Network Security (XGS) rules or policies to forward events to JSA.

Configuring IBM Security Network Security (XGS) Alerts

All event types are sent to JSA by using a remote syslog alert object that is LEEF enabled.

Remote syslog alert objects can be created, edited, and deleted from each context in which an event is generated. Log in to the Network Security Security (XGS) local management interface as admin to configure a remote syslog alert object, and go to one of the following menus:

  • Manage >System Settings >System Alerts (System events)

  • Secure >Network Access Policy (Access events)

  • Secure >IPS Event Filter Policy (Security events)

  • Secure >Intrusion Prevention Policy (Security events)

  • Secure >Network Access Policy >Inspection >Intrusion Prevention Policy

In the IPS Objects, the Network Objects pane, or the System Alerts page, complete the following steps.

  1. Click New >Alert >Remote Syslog.
  2. Select an existing remote syslog alert object, and then click Edit.
  3. Configure the following options:

    Table 2: Syslog Configuration Parameters




    Type a name for the syslog alert configuration.

    Remote Syslog Collector

    Type the IP address of your JSA console or Event Collector.

    Remote Syslog Collector Port

    Type 514 for the Remote Syslog Collector Port.

    Remote LEEF Enabled

    Select this check box to enable LEEF formatted events. This is a required field.

    If you do not see this option, verify that you have software version 5.0 and fixpack 7 installed on your IBM Security Network Security appliance.


    Typing a comment for the syslog configuration is optional.

  4. Click Save Configuration.

    The alert is added to the Available Objects list.

  5. To update your IBM Security Network Security (XGS) appliance, click Deploy.
  6. Add the LEEF alert object for JSA to the following locations:
    • One or more rules in a policy

    • Added Objects pane on the System Alerts page

  7. Click Deploy

    For more information about the Network Security Security (XGS) device, click Help in the Network Security Security (XGS) local management interface browser client window or access the online Network Security Security (XGS) documentation.

Configuring a Log Source in JSA

JSA automatically discovers and creates a log source for LEEF-enabled syslog events from IBM Security Network Security (XGS). The following configuration steps are optional.

  1. Click the Admin tab.
  2. Click the Log Sources icon.
  3. Click Add.
  4. In the Log Source Name field, type a name for your log source.
  5. From the Log Source Type list, select IBM Security Network Security (XGS).
  6. Using the Protocol Configuration list, select Syslog.
  7. Configure the following values:

    Table 3: Syslog Parameters



    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your IBM Security Network Security (XGS).

  8. Click Save.
  9. On the Admin tab, click Deploy Changes.