Configuring Epic SIEM 2017 to Communicate with JSA
To collect events in JSA, you must configure the messaging queue values on your Epic SIEM 2017 system.
- From the command line, select Interconnect Administrator's Menu >Messaging Queues Setup.
- Type an asterisk (*) to create the EMPSYNC queue.
- Enter the queue values identified in the following table
for each of the prompts.
Table 1: Queue Values for EMPSYNC Prompts Prompt
Value
Queue ID
Type an ID for the queue.
Queue Name
EMPSYNC
Descriptor
EMPSYNC
Run on Node
Press the Enter key. The value is automatically populated.
IC Servers
Press the Enter key, without typing a value.
Edit advanced settings for this queue?
Yes
Does this queue handle synchronous outgoing messages?
Yes
Associate this descriptor with a queue type for outgoing communication?
Yes
Queue Type
EMP
- Type an asterisk (*) to create the EMPASYNC queue.
- Enter the queue values identified in the following table
for each of the prompts.
Table 2: Queue Values for EMPASYNC Prompts Prompt
Value
Queue ID
Type an ID for the queue.
Queue Name
EMPASYNC
Descriptor
EMPASYNC
Run on Node
Press the Enter key. The value is automatically populated.
IC Servers
Press the Enter key, without typing a value.
Edit advanced settings for this queue?
Yes
Does this queue handle synchronous outgoing messages?
No
Associate this descriptor with a queue type for outgoing communication?
Yes
Queue Type
EMP
- Deploy a new interconnect instance by using Kuiper.
- Access the Interconnect Configuration Editor in Windows, by clicking Start >Epic 2017 >Interconnect >your_instance >Configuration Editor.
- Select the General Web Service Host role.
- In Cache Connections, manually add the queue by the queue type, EMP.
- Set the number of threads to 2.
For more information about thread count recommendations, see your Epic documentation.
Note:Do not enable any services on the Business Services tab.
- Log in to your Epic server.
- Click Epic System Definitions (%ZeUSTBL) >Security >Auditing Options >SIEM Syslog Settings.
- Select SIEM Syslog Configuration, and then
configure the following parameters:
Parameter
Value
SIEM Host
Your JSAEvent Collector host name or IP address.
SIEM Port
514
SIEM Format
LEEF (Log Event Extended Format)
Check Application Layer Response
Disable
- Return to the SIEM Syslog Settings Menu.
- If you want to reduce traffic that comes in to your SIEM
system, disable the auditing events that your system does not require:
Click SIEM Syslog Configuration Options >Edit Events List.
From the Edit Events List, select T for each event that you want to disable.
Click Q to quit.
- Select SIEM Syslog and set it to Enabled.Note:
The SIEM Syslog Sending daemon is automatically started when the environment is set to runlevel Up or when you enable SIEM Syslog. If you want to stop the daemon, from the SIEM Syslog Settings menu, click SIEM Syslog and set it to Disabled.