IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Problems getting network data into Qradar - what am I doing wrong?

  • 1.  Problems getting network data into Qradar - what am I doing wrong?

    Posted Mon November 29, 2021 11:16 PM
    Hi,
    I have this setup:
    ----------
    1 nic onboard computer
    1 nic via usb adapter - which is connected to a switch where that port is a mirror destination port for all traffic. Traffic is streamed as it should. 

    Qradar running via ova on VMWARE workstation, where I have edited the vmx file and made both nics promiscious.
    Qradar is finding both ens 33 and 34, I have set Qradar to receive via ens 34. I have set the firewall to accept everything

    But there is nada in network traffic:

    Flow sources:

    What am I doing wrong?



    ------------------------------
    Christian Sennesvik
    ------------------------------


  • 2.  RE: Problems getting network data into Qradar - what am I doing wrong?

    Posted Tue November 30, 2021 05:02 AM
    Christian,
    so far everything looks alright inside QRadar. Are you seeing any events coming in into your environment? Asking this to make sure your CE is working at all.
    Of course there are man things that could go wrong with mirror configs, depending on your switch os. The easiest thing is to start network activity monitoring using your default interface used as interface type flow source. If this is ens33 and assigned to one of your two test flow sources shown in the screenshot, all qradar traffic should be seen. This is obviously not the case in your environment. My guess is that something is wrong about the promiscous mode in your workstation setup. Editing vmx file is an option but needs in depth background and restart of your VM. The setting should be available in your GUI for the VM workstation configuration. Pls make sure this is set correctly.
    BR
    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 3.  RE: Problems getting network data into Qradar - what am I doing wrong?

    Posted Tue November 30, 2021 07:09 AM
    Have you done a deploy?


    ------------------------------
    Martin Schmitt
    ------------------------------

    Original Message


  • 4.  RE: Problems getting network data into Qradar - what am I doing wrong?

    Posted Tue November 30, 2021 07:19 AM
    Edited by Christian Sennesvik Tue November 30, 2021 07:52 AM
    I think I replied directly to you Martin by mistake. So I will add my answer here to

    "Hi, I will remove both vmware to remove the wrong settings and the deploy. Then redeploy both and go through the settings.

    There is something odd that I realized when I tried security onion. I have tried SO several times before and it has never failed, however, this time management interface and input didn't come up.

    But on the other hand, I know that the span port is sending info because I have Splunk forwarder running - it takes all the info and passes it to Splunk without problems. But once I tried using the same port on Hyper V and WMvare workstation there is just problems..


    Do you have any settings I need to do in Vmware workstation or virtual box that should get the network to pass data through? Just to be sure that my sources for promiscuous mode aren't wrong

    br"

    This is shown in powershell btw when I try setting promiscuous mode


    WMware workstation pro settings for network:

    This show data coming in on the hyper V managed version of the span port

    which is actually a bit less data, so I'm guessing that I haven't turned on the promiscuous mode in Hyper V at least. But if I try in vmware I should be able by editing the vmx config file and set it there?
    ------------------------------
    Christian Sennesvik
    ------------------------------

    Original Message


  • 5.  RE: Problems getting network data into Qradar - what am I doing wrong?
    Best Answer

    Posted Tue November 30, 2021 10:14 AM
    Hello Christian,
    Can I assume that you have the two network adapters on you QRadar CE host connected to Custom VMnet0 and VMnet1?
    At the CLI on the CE host does "ifconfig" show packets / bytes received on the ens monitoring interface(s)?  
    Does the monitoring interface show PROMISC? ie. ens33: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 150
    If not you might want to try "ifconfig ens33 promisc" and run ifconfig again to check the status afterwards


    ------------------------------
    Todd NIEHOFF
    ------------------------------

    Original Message


  • 6.  RE: Problems getting network data into Qradar - what am I doing wrong?

    Posted Wed December 01, 2021 04:22 AM
    Sorry for the wait, I did a reinstall to be sure I didn't mess anything else up

    2 nics - 1 for management and 1 for span/mirror port, that is correct. ens33 is management.

    1) It was correct, PROMISC was not showing, so after running ifconfig ens34 promisc as that is the mirror port


    Now the problem is that I still don't get data into Qradar, I have run the same setup with security onion and I'm getting data there, so the problem is within the qradar setup





    ------------------------------
    Christian Sennesvik
    ------------------------------

    Original Message


  • 7.  RE: Problems getting network data into Qradar - what am I doing wrong?

    Posted Wed December 01, 2021 04:39 AM
    Christian,
    same situation as before. My questions still not answered. If ens33 is configured the same way you will see network data coming in independent from your monitor port configuration. If not some more general thing may be wrong like the famous invalid icense patch which still needs to be applied to fresh installs.
    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 8.  RE: Problems getting network data into Qradar - what am I doing wrong?

    Posted Tue November 30, 2021 10:47 AM
    I can not verify it in detail, because i do not have a span at the moment to test but in my enviroment i configured it in qradar and i see in the network activity tap traffic (comming from the machine or destined to it) Do you see this in your enviroment? The port in the VM GUI is configured with Policiy-Security-Promiscous mode - Accept

    ------------------------------
    Martin Schmitt
    ------------------------------

    Original Message


  • 9.  RE: Problems getting network data into Qradar - what am I doing wrong?

    Posted Wed December 01, 2021 05:23 AM
    Hi Christian,

    When you say it's a fresh install of QRadar CE, you might want to consider this ... https://www.ibm.com/support/pages/node/6395080
    You'll need to apply this fix regarding to this licensing issue in CE...
    if [ -f /opt/qradar/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ; fi ; if [ -f /usr/eventgnosis/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr/eventgnosis/ecs/license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi

    Just in idea...

    Regards,
    Ralph


    ------------------------------
    Ralph Belfiore
    SIEM Expert
    pro4bizz GmbH
    Karlsruhe
    +4972190981727
    ------------------------------

    Original Message


  • 10.  RE: Problems getting network data into Qradar - what am I doing wrong?

    Posted Wed December 01, 2021 07:57 AM
    Edited by Christian Sennesvik Wed December 01, 2021 07:58 AM
    Tada...



    didn't work the first time, and that was my fault for not reading the part about SSH...so tried again with bitwise - went to a meeting and clicked f5..and voila :D

    So to summarize:

    1) Bridged network in vmware workstation works fine, no need for NAT, select the eth nic and make sure mirror/span port works 
    2) use ifconfig ens (number of mirror port) to enable pormiscious
    2) allow all traffic in via firewall(?)
    3) add the patch and wait 5-10 minutes

    and it should work :) 

    Just in case future users have same issue they now have a thread to look through. Thank you everyone who has helped :)
    Tried to make both the patch and ifconfig ens as best answers, but could only mark one of them

    ------------------------------
    Christian Sennesvik
    ------------------------------

    Original Message