How to Configure CA NIM-SM to Forward Logs to QRadar
Article ID: 437103
Updated On:
Products
Issue/Introduction
There is a requirement to send NIM-SM application logs to an external SIEM tool, such as IBM Security QRadar, for threat detection and monitoring. By default, NIM-SM stores logs locally and does not forward them to external Syslog collectors.
Environment
- CA Normalized Integration Management for Service Management (NIM-SM)
- Any SIEM tool supporting Syslog (e.g., IBM QRadar)
Cause
NIM-SM uses the Log4j2 framework for internal logging. Forwarding logs to a remote server requires the addition of a specific "Syslog Appender" within the application's configuration file.
Resolution
To enable log forwarding, you must modify the log4j2.xml file within the NIM-SM deployment.
Locate the Configuration File: Navigate to the following directory in your NIM-SM installation (usually within the web server's webapps directory):
ca-nim-sm/WEB-INF/config/log4j2.xmlAdd a Syslog Appender: Edit the
log4j2.xmlfile to include a new Appender entry. Specify the QRadar (or SIEM) server IP address and the destination port (default is 514).Example Configuration Snippet:
Update the Loggers Section: Ensure that the
<Loggers>section of the XML file references the newQRadarAppenderso that events are actively sent.Restart Services: Restart the web server (e.g., Apache Tomcat) where NIM-SM is running to apply the changes.
Verification: Check the "Log Activity" tab in QRadar to confirm that logs from the NIM-SM host are being received.
Additional Information
- Externalization: Note that if the
ca-nim-sm.warfile is redeployed or upgraded, manual changes to theWEB-INF/configdirectory may be overwritten. It is recommended to back up your modifiedlog4j2.xmlbefore maintenance. - Firewall: Ensure that traffic is allowed from the NIM-SM host to the QRadar Event Collector on the configured port (UDP/TCP 514).
Feedback
