This section covers how to integrate IBM QRadar SIEM with VMware SASE and includes instruction on creating a Log Source group, importing the SD-WAN Edge DSM module, and setting up SD-WAN Edges as Log Source records.

Before data can be onboarded from the VMware SASE solutions, the IBM QRadar SIEM service must be prepared to accept the data. This requires the following steps:

  1. Create a Log Source Group for your SD-WAN Edge appliances.
  2. Import the VMware SD-WAN Edge DSM module.
  3. Set up SD-WAN Edges as Log Source records.

Once these steps are ready, you can configure the SD-WAN Edges in the VMware SASE Orchestrator to send log messages and flow telemetry data to their designated event collectors.

1. Create a Log Source Group for your SD-WAN Edge Appliances

Log Source Groups help you manage larger-scale network deployments by associating default DSMs or Log Source Extensions with your network devices. Log source groups help filter event data to a particular group of devices.

To view or create a Log Source Group, go to Admin > Data Sources > Events. Depending on your system, you might see something similar:

Figure 1. IBM QRadar - Data Sources

In the main window, select Log Source Groups, then select New Group in the new window:

Figure 2. Log Source Group Management

A new window, titled Group Properties will open:

Figure 3. Log Source Group Properties
Table 1.
IBM QRadar – Log Source Group Properties
Parent The parent container for the newly created child object. Before you save your changes, make sure that the new Log Source Group is created under the correct container. QRadar supports nested Log Source Groups.
Name Administrative name for the Log Source Group
Description Summary of the log source group’s function or its contents.

2. Import the VMware SD-WAN Edge DSM module into your IBM QRadar Deployment

Now that the Log Source Group is ready, we will import the custom DSM for VMware SD-WAN Edge appliances. The DSM is delivered as a ZIP archive. To start with the import process, navigate to Admin > System Configuration, then select Extensions Management:

Figure 4. Extensions Management

In this window, you will see a list of extension modules that enhance QRadar's functionality and their installation statuses. The list of available modules depends on your deployment. To upload the ZIP archive, click the Add button in the top-right corner. If you want to install it right away, select Install Immediately:

Figure 5. Add New Extension

After the upload, a new line item will appear in the Extensions Management window. From here you can install the DSM (if you have not done it already), remove the module or look at its contents (the output might vary based on the DSM contents):

Figure 6. VMware SD-WAN Edge DSM Contents

3. Create a Log Source Record for Each SD-WAN Edge

You need to create a log source record for each SD-WAN Edge to make them trusted sources of events. You can use an extension called IBM QRadar Log Source Managementto set up the Edge Syslog feeds. This extension may be different from the legacy Log Source Management interface, depending on your QRadar version. To launch the app, go to Admin > Apps > QRadar Log Source Management.

Figure 7. Log Source Management

After clicking on + New Log Source, select Single Log Source (if you want to add just one Edge appliance), or Multiple Log Sources (if you need to create log sources in bulk).

Under Select Log Source Type, search for VMware SD-WAN Edge:

Figure 8. Select a Log Source Type

If you cannot find the SD-WAN Edge option, please check the Admin tab to see if changes are to be deployed, or you can do a Deploy Full Configuration from Advanced. After a few minutes, the log source type should show up.

Under Select a Protocol Type, it should default to Syslog, this is what we need:

Figure 9. Select Protocol Type

On the Log Source parameters screen, you must complete all the device-specific details:

Figure 10. Log Source Parameters
Table 2. IBM QRadar – Log Source Parameters
Parameter Name Description Mandatory?
Name The device name of the Edge (as appears in the Orchestrator). Yes
Description A brief description that helps identify the appliance sending events. No
Enabled This switch instructs QRadar to use this record to identify the log source, or not. Yes
Groups

Assigns the device to a log source group. A device can be part of multiple groups if required.

Grouping can help parse events faster or manage group members in a uniform fashion.

 Yes
Extension The associated DSM that helps to correctly format messages from the device and perform event mapping against logs. This should point to the SD-WAN Edge Extension. No
Language The language of the logs. Defaults to English. Yes
Target Event Collector Most of the IBM QRadar deployments are distributed in nature. You can select the correct event collector that should accept Syslog messages from the Edges and parse them. Yes
Credibility An administrative measure on a scale of from 0 to 10, It is a measure of the log source’s reliability. Yes
Coalescing Events If this feature is enabled, the SIEM will aggregate similar activities into a single entry. No
Store Event Payload If enabled, QRadar will record the payload of the Syslog messages. Typically enabled in production environments. No

Once every parameter is set, you can progress to the next screen, selecting the Protocol Parameters. Encoding should be UTF-8, and the Log Source Identifier must be configured as the device name from the Orchestrator.

Figure 11. Protocol Parameters

Once all settings are set, click Finish. By selecting on the log source in the main screen, the Log Source Summary screen will open, and you can double-check the settings:

Figure 12. Log Source Summary of an Edge

If you are using a distributed QRadar deployment (common in production environments), take note of the Target Event Collector setting, as you will set this up as a IPFIX and Syslog Target.

Event collectors might have multiple network interfaces that might have various assigned roles. Please see this KB article if you need assistance understanding how your IBM QRadar deployment is connected to your enterprise network fabric.

How to Integrate VMware SD-WAN Edge with IBM QRadar

You have prepared IBM QRadar to receive data from the SD-WAN Edge appliances. Now, you need to configure the IBM QRadar Event Collectors as IPFIX and Syslog service endpoints.

Remember, IBM QRadar uses "Regular" network interfaces to collect log and flow data. If you are not sure what the interface IP address is, please follow these steps:

  1. Go to Admin > System Configuration > System and License Management.
  2. In the Display field, select Systems.
  3. Select the Event Collector that you want to use as a target system.
  4. Open the Actions drop-down menu from the top menu bar.
  5. Select View and Manage System.
  6. Select the Network Interfaces tab in the new window.

You will see a similar output for your node:

Figure 13. Event Console node with two NICs, one used for OOB management, the regular NIC used for event and flow collection.

Now, you can switch from IBM QRadar to the VMware Edge Cloud Orchestrator. We will perform the following steps in the Orchestrator:

  1. On the Enterprise level, define the IBM QRadar Flow Collectors as NetFlow/IPFIX Collectors.
  2. On the Edge or Edge Profile level, enable the Edges to start the flow export process and send telemetry to the Flow Collectors defined in the previous step.
  3. While on the Edge or Edge Profile level, configure Event Collectors as Syslog servers.
  4. Enable the Edge Firewall or Enhanced Firewall Services logging.
  5. Define a Firewall Rule with logging enabled.