Configure SIEM integration

Steps

  1. In the entry field IP address or hostname, enter the IP address or hostname for the SIEM integration server.
  2. In the entry field Port, enter the port number for the SIEM integration server. The default is 514.
  3. From the section Transport protocol, select the protocol used for data transport, either UDP or TCP.

    User datagram protocol (UDP) is a transport layer protocol in the Internet protocol suite. UDP is stateless and therefore faster than transmission control protocol (TCP), but it can be unreliable. Like UDP, TCP is a transport layer protocol, but it provides reliable, ordered data delivery at the expense of transport speed.

    Tip: When using TCP, it is recommended to end all logs with %<\n>.

    From the pull-down menu SIEM format, select the format to be used in SIEM logs.

    The format determines the syntax of the string used to pass log data to the integration.

    • The available formats are syslog/CEF (ArcSight), syslog/key-value pairs (Splunk and others), syslog/LEEF (QRadar), and Custom.
    • The text boxes populate with CEF format when Custom is selected, and can be edited as needed. The maximum size for each format is 2048 characters. Logs are not saved to the SIEM server for any log fields left blank. Selection of a new template returns any edited custom format to the default.
    • Sample formats display for non-custom options.
  4. Confirm that the SIEM product is properly configured and can receive messages from the email software; click Send Test Message.
  5. Configure additional SIEM settings and click OK. The SIEM configuration settings are saved.