HI wolram,
Case Already opened but IBM not support in Solarwinds. some replies are sharing.
"
Thank you for contacting IBM Support! My name is Prateek Jain and I'll be assisting you with this SEV2 case regarding how to integrate an XGS to a SIEM via syslog.
I understand you would like to know how to setup an XGS to forward information to a SIEM via syslog. We have an article with a video below on creating the responses required in order to forward info to our QRadar SIEM. These directions should work for your SIEM as well, just skip the part about selecting "QRadar Format Enabled".
Let me know if you have any questions on this. Thank you for contacting IBM for support."
"
IBM_XGS_Syslog_Setting.jpg shows that you have created a remote syslog response object. but it does not show if you are using this object in NAP or IPS object policy or not.
Firstly, you need to uncheck the checkbox "QRadar Format Enabled" in this remote syslog response object.
and also make sure that this object named "Solarwind syslog" is used in NAP or IPS objects (depending on the kind of events you want to send to your SIEM).
If you are not sure, please send us a support file from XGS to review the configuration:
"
We have received the support file that you have submitted. I wanted to mention that we do not support firmware 5.3.0.1, and haven't for a long time now. Support for all firmware prior to 5.4.0.4 officially ended August 2018. You need to make plans to upgrade to a supported version. We also do not support Solarwinds, so we don't know what some of these screenshots that you sent in represent.
In regards to this case....What exactly are you trying to accomplish here? Please be specific
You've mentioned exporting XGS logs....and we responded with the remote syslog configuration. To clarify, the rsyslog is a response to an event. This can be a security event or a system event. You have to apply the response to that event, and when that event occurs...the XGS will generate a syslog response targeting the host you configured in the response object. However, this is not exporting system 'logs' such as /var/log/messages, etc. In some of your screenshots, it appears you are trying to get the /var/log/auth.log file from an XGS. For example, in the SEM_LEM_Syslog_Connector_Setting.jpg, you have some sort of 'connector' configuration that is referencing the /var/log/auth.log log file.
What is this connector meant to do and how?
The XGS platform does not have a /var/log/auth.log file. You cannot pull or poll for that file on and XGS, it doesn't even exist. You've also got a screenshot here of a CLI of what I presume is your Solarwinds host? You have highlighted item 4 in a list, which also references 'Auth Log (Empty)'. I'm trying to understand what exactly you are expecting here and how you intended to get this information from an XGS appliance? I have a feeling there may be some confusion of exactly what you are trying to do, as well as what is even possible with the platform.
I'll go ahead and look at this support file to see what you have configured in regards to the remote syslog configuration...but it appears we are going to need a better explanation from you to ensure we understand the issue and are providing the appropriate response. A screenshot without context or clarification is not sufficient."
"
As I mentioned in my last response, I went ahead and looked at your support file. You do not have any remote syslog object configuration applied to this appliance. I presume your IBM_XGS_Syslog_Setting.jpg screenshot was taking in SiteProtector?
That remote syslog configuration from your screenshot is not on this box. Also note, the ryslog response object is a shared object which automatically deploys to every agent of that type in the repository. Since the object itself is not actually on this box...that must mean that either:
-- you did not save that configuration so it has not applied to this box.
-- you are working in the wrong policy repository, so your configuration is not being inherited by this box.
-- you are working under the wrong firmware version and the version you are editing is not shared with this very old firmware version.
NOTE: The remote syslog object policy that would apply to this version firmware is shared between 5.3.1 up to version 5.3.2. If you are editing this policy at a version later than 5.3.2 in SiteProtector, your policy changes do not apply to this appliance.
As Prateek also mentioned...that screenshot is just the configuration of the response object. You have to make sure that you apply that response to the 'events' desired in order for the XGS to perform the response. When that 'event' occurs, the XGS will perform the 'responses' that are applied to that event. There are several potential policy locations for these 'responses' to be applied.
For XGS System Events, you would need to apply the response in the System Alerts policy, to the desired System Alert Families. You can find a description of the System Alerts here:
https://www.ibm.com/support/pages/system-event-code-list-ibm-security-network-protection-sensors
For XGS Security Event Detections, you would need to apply the response to the Intrusion Prevention policy object(s) that you are using in the Intrusion Prevention shared object policy. An additional location associated with security events would be in an IPS Event Filter rule, in the IPS Event Filter policy.
For Network Access Protection rule matches, you would need to apply the response to a rule in the Network Access Protection policy. This will create an 'Access' event when that rule is matched with traffic. IMPORTANT NOTE: Do NOT apply a response to the Any Any rule outside of limited testing...it can overload the sensor and cause performance and traffic impact. Obviously that depends on the actual load of the sensor as to how much load that introduces.
For Advanced Threat Policy rule matches, you would need to apply the response to the appropriate ATP rules in the Advanced Threat Policy. NOTE: If you are not using ATP agents to trigger quarantines on the XGS, you are not using this policy and do not need to add a response here."