IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Replace Event Collector With Cribl

    Posted Tue December 13, 2022 06:15 PM
    The current setup is AIO and we plan on replacing the event collector with Cribl.
    So all the log sources will point to Cribl and Cribl will forward to QRadar.

    Wondering, if anyone has experience leveraging cribl and feedback about that?

    1- Any changes to existing parsers, customization, and reports?


    ------------------------------
    Hemant Kumar
    ------------------------------


  • 2.  RE: Replace Event Collector With Cribl

    Posted Fri December 16, 2022 08:30 AM
    No experience with cribl. Rsyslog allows for using fake IP address. This does work. If your forward IP gets changed logsource will be difficult to get differentiated.

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 3.  RE: Replace Event Collector With Cribl

    Posted Wed December 21, 2022 08:57 AM
    Edited by Wendy Batten Thu December 29, 2022 08:10 AM
    I've had some experiece with Cribl in a lab environment. The main potential issue I've found with these types of solutions is getting the data to QRadar in a format that QRadar can natively parse.
    Obviously you can always transform in Cribl or create custom DSM's in QRadar, but can be a lot of work.

    As an example, if you are collecting Windows events with Cribl Edge and forwarding onto QRadar that won't work without transformation in Cribl or a custom DSM. If you are collecting Windows events with WinCollect Standalone and then forwarding to Cribl and then onto QRadar as-is they should parse ok without any additonal work.



    Original Message


  • 4.  RE: Replace Event Collector With Cribl

    Posted Wed October 11, 2023 01:35 PM

    Has anyone been able to successfully import Cribl into QRoc?  

    We are having issues understanding how to set up the log sources.  From Cribl it is sent via TLS Syslog

    Logs via TLS Syslog
    1. Vendor 1
      - IBM Built In DSM
    2. Cribl
      - FW Logs
      - AWS Cloudtrail

    Does this require using the Gateway Log Source methodology https://community.ibm.com/community/user/security/blogs/sophia-mccarthy/2019/09/30/qradars-gateway-log-source-methodologies?



    ------------------------------
    Mitchell Fang
    ------------------------------

    Original Message


  • 5.  RE: Replace Event Collector With Cribl

    Posted Thu October 12, 2023 12:30 PM

    Hi Mitchell

    not sure what your setup looks like. If your Cribl logdource is independent from vendor1 just follow Bryans advice. If both vendors share one TLS syslog stream out of AWS cloud you may require GLS to split out the two streams into two logsources.



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 6.  RE: Replace Event Collector With Cribl

    Posted Wed October 18, 2023 06:54 PM

    Thanks.

    We got it working.  Didn't need GLS.  Qradar able to automatically generate the log sources with the correct parser.



    ------------------------------
    Mitchell Fang
    ------------------------------

    Original Message


  • 7.  RE: Replace Event Collector With Cribl

    Posted Tue January 09, 2024 08:25 AM

    Hi All,

    Need assistance as we are introducing Cribl in our QRoC environment and we want to forward logs from FW > Panorama Collector > Cribl > QRoC Data Gateway.

    1. Would QRoC be able to determine the actual firewall as a log source when forwarded this way?

    2. Do we need to enable inbound policy on QRoC Data Gateway for Panorama collector or FW on 514?
    We have already enabled inbound policy from Cribl to Data Gateway.



    ------------------------------
    Karan Verma
    ------------------------------

    Original Message


  • 8.  RE: Replace Event Collector With Cribl

    Posted Tue January 09, 2024 08:26 AM

    Hi,

    Can you help understanding if QRoC can detect the actual log source when we use Cribl to foward logs to Data Gateways?

    Our plan is to go thru FW > Panorama log collector > Cribl > Data Gateway.

    1. Would QRoC be able to detect the correct firewall as log source?
    2. Would there be any parsing issues?
    3. Do we need to enable any inbound policies on Data Gateways to accept other than Cribl IPs on 514?

    Karan



    ------------------------------
    Karan Verma
    ------------------------------

    Original Message


  • 9.  RE: Replace Event Collector With Cribl

    Posted Tue November 14, 2023 09:11 AM

    How did the Cribl integration with Qradar go? What are your thoughts. Company is looking to purchase. 



    ------------------------------
    Bruce Hutchinson
    ------------------------------

    Original Message


Related Content