Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

IBM Security Network IPS (GX)

 

The IBM Security Network IPS (GX) DSM for JSA collects LEEF-based events from IBM Security Network IPS appliances by using the syslog protocol.

The following table identifies the specifications for the IBM Security Network IPS (GX) DSM:

Parameter

Value

Manufacturer

IBM

DSM

Security Network IPS (GX)

RPM file name

DSM-IBMSecurityNetworkIPS-JSA_version-Build_number.noarch.rpm

Supported versions

v4.6 and later (UDP)

v4.6.2 and later (TCP)

Protocol

syslog (LEEF)

JSA recorded events

Security alerts (including IPS and SNORT)

Health alerts

System alerts

IPS events (Including security, connection, user defined, and OpenSignature policy events)

Automatically discovered?

Yes

Includes identity?

No

To integrate the IBM Security Network IPS (GX) appliance with JSA, use the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the IBM Security Network IPS (GX) RPMs on your JSA Console.

  2. For each instance of IBM Security Network IPS (GX), configure your IBM Security Network IPS (GX) appliance to enable communication with JSA.

  3. If JSA does not automatically discover the log source, create a log source for each instance of IBM Security Network IPS (GX) on your network.

Configuring Your IBM Security Network IPS (GX) Appliance for Communication with JSA

To collect events with JSA, you must configure your IBM Security Network IPS (GX) appliance to enable syslog forwarding of LEEF events.

Ensure that no firewall rules block the communication between your IBM Security Network IPS (GX) appliance and JSA.

  1. Log in to your IPS Local Management Interface.
  2. From the navigation menu, select Manage System Settings >Appliance >LEEF Log Forwarding.
  3. Select the Enable Local Log check box.
  4. In the Maximum File Size field, configure the maximum file size for your LEEF log file.
  5. From the Remote Syslog Servers pane, select the Enable check box.
  6. In the Syslog Server IP/Host field, type the IP address of your JSA console or Event Collector.
  7. In the TCP Port field, type 514 as the port for forwarding LEEF log events.Note

    If you use v4.6.1 or earlier, use the UDP Port field.

  8. From the event type list, enable any event types that are forwarded to JSA.
  9. If you use a TCP port, configure the crm.leef.fullavp tuning parameter:
    1. From the navigation menu, select Manage System Settings >Appliance >Tuning Parameters.

    2. Click Add Tuning Parameters.

    3. In the Name field, type crm.leef.fullavp.

    4. In the Value field, type true.

    5. Click OK.

Syslog Log Source Parameters for IBM Security Network IPS (GX)

If JSA does not automatically detect the log source, add an IBM Security Network IPS (GX) log source on the JSA Console by using the Syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Syslog events from IBM Security Network IPS (GX):

Table 1: Syslog Log Source Parameters for the IBM Security Network IPS (GX) DSM

Parameter

Value

Log Source type

IBM Security Network IPS (GX)

Protocol Configuration

Syslog

Log Source Identifier

The IP address or host name for the log source as an identifier for events from your IBM Security Network IPS (GX) appliance.