Hello,

I would like to redirect some error messages of my custom action script to QRadar.

It works great when I execute script with arguments directly in console CLI, but it doesn't work when executed in jail, here is the output message in Admin Panel :

/custom_action_scripts/customaction_1.script: line 255: echo: write error: Operation not permitted

-----------------------------------​

And the line 255 is the following, I guess the error is due to my socket utilization :

echo "$(date '+%b %d %T') trigger.sh Type=Script_Execution|Result=$state|Errors=${error::-2}|envRuleID=$envRuleID|envRuleName=$envRuleName|QRadarIP=$QRadarIP|jsonPayload=$jsonString" > /dev/udp/127.0.0.1/514​

Do you have best pratices to redirect content to QRadar ? (logger, netcat, JSON POST ?)

Thank you !

------------------------------
Clément BONNAL
------------------------------

Maybe this is due to the customactionuser permissions, I think this user has not permissions to write in /dev because the ca_jail or chroot, try to send the output to /opt/qradar/bin/ca_jail

kind regards

------------------------------
Roberto Ivars
------------------------------

Original Message:
Sent: Tue March 31, 2020 10:52 AM
From: Clément BONNAL
Subject: Log Custom Action Script issues to QRadar (> /dev/udp/127.0.0.1/514)

Hello,

I would like to redirect some error messages of my custom action script to QRadar.

It works great when I execute script with arguments directly in console CLI, but it doesn't work when executed in jail, here is the output message in Admin Panel :

/custom_action_scripts/customaction_1.script: line 255: echo: write error: Operation not permitted-----------------------------------​

And the line 255 is the following, I guess the error is due to my socket utilization :

echo "$(date '+%b %d %T') trigger.sh Type=Script_Execution|Result=$state|Errors=${error::-2}|envRuleID=$envRuleID|envRuleName=$envRuleName|QRadarIP=$QRadarIP|jsonPayload=$jsonString" > /dev/udp/127.0.0.1/514​

Do you have best pratices to redirect content to QRadar ? (logger, netcat, JSON POST ?)

Thank you !

------------------------------
Clément BONNAL
------------------------------

Hello,
I agree, so I try to use netcat to don't write directly in /dev, and even if it works in console, the command is unknown in jail :(

/custom_action_scripts/customaction_1.script: line 255: nc: command not found

-----------------------------------​

echo "$(date '+%b %d %T') trigger.sh Type=Script_Execution|Result=$state|Errors=${error::-2}|envRuleID=$envRuleID|envRuleName=$envRuleName|QRadarIP=$QRadarIP|jsonPayload=$jsonString" | nc -u 127.0.0.1 514​

Trying with POST JSON now...

------------------------------
Clément BONNAL
------------------------------

Original Message:
Sent: Wed April 01, 2020 03:28 AM
From: Roberto Ivars
Subject: Log Custom Action Script issues to QRadar (> /dev/udp/127.0.0.1/514)

Maybe this is due to the customactionuser permissions, I think this user has not permissions to write in /dev because the ca_jail or chroot, try to send the output to /opt/qradar/bin/ca_jail

kind regards

------------------------------
Roberto Ivars

Original Message:
Sent: Tue March 31, 2020 10:52 AM
From: Clément BONNAL
Subject: Log Custom Action Script issues to QRadar (> /dev/udp/127.0.0.1/514)

Hello,

I would like to redirect some error messages of my custom action script to QRadar.

It works great when I execute script with arguments directly in console CLI, but it doesn't work when executed in jail, here is the output message in Admin Panel :

/custom_action_scripts/customaction_1.script: line 255: echo: write error: Operation not permitted-----------------------------------​

And the line 255 is the following, I guess the error is due to my socket utilization :

echo "$(date '+%b %d %T') trigger.sh Type=Script_Execution|Result=$state|Errors=${error::-2}|envRuleID=$envRuleID|envRuleName=$envRuleName|QRadarIP=$QRadarIP|jsonPayload=$jsonString" > /dev/udp/127.0.0.1/514​

Do you have best pratices to redirect content to QRadar ? (logger, netcat, JSON POST ?)

Thank you !

------------------------------
Clément BONNAL
------------------------------