Enable and configure SIEM integration

Steps

  1. On the page SIEM Integration, mark the check box Enable SIEM integration for all email appliances.
    SIEM configuration settings are enabled for editing.
  2. In the entry field IP address or hostname, enter the IP address or hostname for the SIEM integration server.
  3. In the entry field Port, enter the port number for the SIEM integration server. The default is 514.
  4. From the section Transport protocol, select the protocol used for data transport; UDP or TCP.
    User datagram protocol (UDP) is a transport layer protocol in the Internet protocol suite. UDP is stateless and therefore faster than transmission control protocol (TCP), but can be unreliable. Like UDP, TCP is a transport layer protocol, but provides reliable, ordered data delivery at the expense of transport speed.
    Tip: When using TCP, it is recommended to end all logs with %<\n>.
  5. From the pull-down menu SIEM format, select the format to be used in SIEM logs.

    The format determines the syntax of the string used to pass log data to the integration.

    • The available formats are syslog/CEF (ArcSight), syslog/key-value pairs (Splunk and others), syslog/LEEF (QRadar), and Custom.
    • The text boxes populate with CEF format when Custom is selected, and can be edited as needed. The maximum size for each format is 2048 characters. Logs are not saved to the SIEM server for any log fields left blank. Selection of a new template returns any edited custom format to the default.
    • Sample formats display for non-custom options.
  6. Confirm that the SIEM product is properly configured and can receive messages from the email software; click Send Test Message.
    Check the SIEM Server log entries to verify that the test message is delivered.
  7. From the bottom of the page SIEM Integration, click OK.
    The SIEM configuration settings are saved. See SIEM: Email Logs.