Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring a SIFT-IT Agent

Arpeggio SIFT-IT can forward syslog events in LEEF format with SIFT-IT agents.

A SIFT-IT agent configuration defines the location of your JSA installation, the protocol and formatting of the event message, and the configuration rule set.

  1. Log in to your IBM iSeries.
  2. Type the following command and press Enter to add SIFT-IT to your library list:

    ADDLIBLE SIFTITLIB0

  3. Type the following command and press Enter to access the SIFT-IT main menu:

    GO SIFTIT

  4. From the main menu, select 1. Work with SIFT-IT Agent Definitions.
  5. Type 1 to add an agent definition for JSA and press Enter.
  6. In the SIFT-IT Agent Name field, type a name.

    For example, JSA.

  7. In the Description field, type a description for the agent.

    For example, Arpeggio agent for JSA.

  8. In the Server host name or IP address field, type the location of your JSA console or Event Collector.
  9. In the Connection type field, type either *TCP, *UDP, or *SECURE.

    The option requires the TLS protocol.

  10. In the Remote port number field, type 514.

    By default, JSA supports both TCP and UDP syslog messages on port 514.

  11. In the Message format options field, type *JSA.
  12. Optional: Configure any additional parameters for attributes that are not JSA specific.

    The additional operational parameters are described in the SIFT-IT User Guide.

  13. Press F3 to exit to the Work with SIFT-IT Agents Description menu.
  14. Type 9 and press Enter to load a configuration rule set for JSA.
  15. In the Configuration file field, type the path to your JSA configuration rule set file.

    Example:

    /sifitit/Qradarconfig.txt

  16. Press F3 to exit to the Work with SIFT-IT Agents Description menu.
  17. Type 11 to start the JSA agent.

Syslog events that are forwarded by Arpeggio SIFT-IT in LEEF format are automatically discovered by JSA. In most cases, the log source is automatically created in JSA after a few events are detected. If the event rate is low, you might be required to manually create a log source for Arpeggio SIFT-IT in JSA.

Until the log source is automatically discovered and identified, the event type displays as Unknown on the Log Activity tab of JSA.