Configuring QRadar

This section explains how to configure IBM QRadar to properly receive, parse, and visualize log data from Secret Server. Complete each of the following steps to enable full integration support.

Set up a log source extension in QRadar to identify and associate incoming log traffic from Secret Server with the correct log source type.

Define the actual log source in QRadar using the Quick Log Source method to complete log ingestion setup. This ensures logs are mapped to the Delinea Secret Server source.

Step 1: Create a Log Source Extension in QRadar

  1. Log into QRadar.

    QRadar

  2. Navigate to the Admin tab.

    Admin

  3. Select Log Source Extensions.

    Log Source Extensions

  4. Select Add.

    Add

  5. Add a name and description for the Log Source Extension.

  6. Select the appropriate Log Source Type from the displayed list.

  7. Select Choose File.

    Choose File

  8. Select the xml file you created in step 1 with the provided example.

  9. Select Upload.

  10. Select the log source extension and set it to the default.

    set it to the default

  11. Select Save.

Step 2: Create a Log Source in QRadar

  1. Go to Log Sources.

  2. Expand the New Log Source dropdown.

  3. Select the Quick Log Source option.

  4. Open the Overview tab, and provide a name for your log source in the Name field.

  5. In the Log Source Type field, select the IBM Security Verify Privilege Vault option.

  6. In the Protocol Type field, select Syslog.

  7. Open the Protocol tab, and type the IP/hostname of your Secret Server machine in the Log Source Identifier field to identify that the logs are coming from that specific Secret Server.

  8. Make sure the toggle for your created log source is enabled.