IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Custom Action to send syslog message with event parameters

    Posted Mon May 08, 2023 04:50 PM


    Greetings,

    I am trying to use a custom script to send a Syslog message to an external server using the below python script.
    The syslog message should include the devicetime retrieved from the event as a parameter:

    import socket
    import time
    import sys
    from datetime import datetime

    # Set the syslog server details
    SYSLOG_SERVER = 'SyslogIP'
    SYSLOG_PORT = 514

    # Events Parameters
    ACT_EVENT   = sys.argv[1]
    ACT_IP      = sys.argv[2]
    devicetime = sys.argv[3]

    devicetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(devicetime))

    # Set the message details
    MESSAGE = devicetime + ' ' + ACT_EVENT+ ' ' + ACT_IP + ' ' + 'Msg Terminated'
    SEVERITY = 6
    FACILITY = 1

    # Create a socket connection to the syslog server
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

    # Build the syslog message
    timestamp = time.strftime('%b %d %H:%M:%S')
    hostname = socket.gethostname()
    syslog_message = '<{}>{} {}: {}'.format(
        int(SEVERITY) + (int(FACILITY) * 8),
        timestamp,
        hostname,
        MESSAGE
    )

    # Send the syslog message to the server
    sock.sendto(syslog_message.encode(), (SYSLOG_SERVER, SYSLOG_PORT))


    When I test the script I get the below error:

    Traceback (most recent call last):
      File "/custom_action_scripts/customaction_153.script", line 17, in <module>
        devicetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(devicetime))
    TypeError: a float is required


    Any idea how can I fix this error?

    Best
    Nabil




    ------------------------------
    Nabil Nehme
    ------------------------------


  • 2.  RE: Custom Action to send syslog message with event parameters

    Posted Wed May 10, 2023 01:33 PM

    Nabil,
    you probably ran into the "jailbreak bug" as your py script is executed in a python container which does not allow for external socket connections.
    Pls test your script outside Qradar 1st and make sure its backward compatible, as Qradar jail is using an older version of python.
    You can store your messages in a file and read and sent file content once a minute using cron schedule. Of course you need two scripts then, an internal and an external one.
    Regards
    Karl



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 3.  RE: Custom Action to send syslog message with event parameters

    Posted Wed May 10, 2023 04:15 PM

    OK - there is a lot to unpick here.

    - devicetime will be provided as millseconds since the epoch - so needs to be converted from str to float and then divided by 1000

    - Be aware, if using the 'Test Execution" button - a NULL value will be sent, breaking everything

    - It *is* most definitely possible to send syslog messages out of the ca jail.  HOWEVER you should be aware of 2 things:
    a) The *only* permitted connection to the host running the Custom Script itself is on port 443.  Any other host - no restrictions.
    b) There is no way to do DNS lookups - so you are stuckj with IP addresses as destinations.

    - The 'syslog_message' string was incorrectly created - the hostname should not be followed by a colon, it should be followed by a space.  Usually the next bit will be the TAG which *is* followed by a colon. 

    ===
    #!/usr/bin/env python

    import socket
    import time
    import sys
    from datetime import datetime

    # Set the syslog server details
    SYSLOG_SERVER = '10.10.10.10'
    SYSLOG_PORT = 514

    # Events Parameters
    ACT_EVENT   = sys.argv[1]
    ACT_IP      = sys.argv[2]
    devicetime = sys.argv[3]

    devicetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(float(devicetime) / 1000))

    # Set the message details
    MESSAGE = devicetime + ' ' + ACT_EVENT+ ' ' + ACT_IP + ' ' + 'Msg Terminated'
    SEVERITY = 6
    FACILITY = 1

    # Create a socket connection to the syslog server
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

    # Build the syslog message
    timestamp = time.strftime('%b %d %H:%M:%S')
    # hostname = socket.gethostname()
    hostname = "tester"
    syslog_message = '<{}>{} {} tag: {}'.format(
        int(SEVERITY) + (int(FACILITY) * 8),
        timestamp,
        hostname,
        MESSAGE
    )

    # Send the syslog message to the server
    sock.sendto(syslog_message.encode(), (SYSLOG_SERVER, SYSLOG_PORT))
    ===



    ------------------------------
    Paul Ford-Hutchinson
    ------------------------------

    Original Message


  • 4.  RE: Custom Action to send syslog message with event parameters

    Posted Wed May 10, 2023 04:17 PM

    FWIW - this is why a CAS can only send to 443 on the local appliance ... NOTE - only applies to 'lo' - the loopback device.

    # iptables -v -n -L OUTPUT
    Chain OUTPUT (policy ACCEPT 1578K packets, 885M bytes)
     pkts bytes target     prot opt in     out     source               destination 
        0     0 ACCEPT     tcp  --  *      lo      0.0.0.0/0            0.0.0.0/0            owner UID match 986 tcp dpt:443
        0     0 REJECT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            owner UID match 986 reject-with icmp-port-unreachable



    ------------------------------
    Paul Ford-Hutchinson
    ------------------------------

    Original Message


  • 5.  RE: Custom Action to send syslog message with event parameters

    Posted Thu May 11, 2023 03:46 AM

    Paul,
    excellent answer. In fact I was wrong regarding syslog messages and socket connections. What I better said was that python lib calls are very limited inside jail as you confirmed. Calling lib functions like ssh doesn't work as actual py version isn't  supported yet. If you have other information pls let us know.
    regards
    karl



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message