IBM QRadar

Hi, 

In our deployment the logs coming from a syslog relay and not directly from the device. I think this is not uncommon scenario. What I've noticed is quite strange. In case I'm sending the syslog with an IP address in  the syslog header, Qradar properly fills the source IP field, however if the syslog header contains the host name, the source address is always the last relay, so it seems Qradar in this case only rely on the IP header and does not try to reverse lookup the host. I've added our DNS servers properly to the resolve.conf.masq, but it still not working.

Is this mean Qradar only able to fill source address properly if the logs coming from the device or the relay is sending the syslog with IP address in the syslog header?

Thanks
Laszlo

Hello.

I've seen this kind of issues when wrong syslog message structure was used. Maybe there is an issue with syslog  header format. If format is ok, every source device log, sent from relay should be detected as separated log source by qradar, and it doesn't' matter if it is IP address or  host name.

------------------------------
Gasper Hribar
------------------------------

Original Message:
Sent: Fri September 13, 2019 01:18 PM
From: Laszlo Pal
Subject: syslog source address from syslog header $host field

Hi,

In our deployment the logs coming from a syslog relay and not directly from the device. I think this is not uncommon scenario. What I've noticed is quite strange. In case I'm sending the syslog with an IP address in  the syslog header, Qradar properly fills the source IP field, however if the syslog header contains the host name, the source address is always the last relay, so it seems Qradar in this case only rely on the IP header and does not try to reverse lookup the host. I've added our DNS servers properly to the resolve.conf.masq, but it still not working.

Is this mean Qradar only able to fill source address properly if the logs coming from the device or the relay is sending the syslog with IP address in the syslog header?

Thanks
Laszlo

Original Message------

Hello.

I've seen this kind of issues when wrong syslog message structure was used. Maybe there is an issue with syslog  header format. If format is ok, every source device log, sent from relay should be detected as separated log source by qradar, and it doesn't' matter if it is IP address or  host name.

------------------------------
Gasper Hribar
------------------------------

Ok, I see.  This is then expected behavior.

If qradar doesn't find source ip in payload then it looks in the hostname field of the syslog header, if  hostname is used QRadar will not do a DNS lookup on a hostname.

Look at this article
https://www.ibm.com/support/pages/qradar-how-source-ip-and-destination-ip-determined-events

Maybe syslog redirect would be useful in your example
https://www.ibm.com/support/pages/qradar-syslog-redirect-protocol-faq


------------------------------
Gasper Hribar
------------------------------

Original Message:
Sent: Mon September 16, 2019 09:19 AM
From: Laszlo Pal
Subject: syslog source address from syslog header $host field

Hi,

 

It is detected correctly as separated log sources using the host names. The issue is, the source IP which in this case always the address of the relay and this can cause some issues in rules where we rely on source address. Maybe there is no easy solution for this because I don't think Qradar can parse IETF syslog where the original source address can be put in .sdata fields

 

Thanks

L:

 

Original Message------

Hello.

I've seen this kind of issues when wrong syslog message structure was used. Maybe there is an issue with syslog  header format. If format is ok, every source device log, sent from relay should be detected as separated log source by qradar, and it doesn't' matter if it is IP address or  host name.

------------------------------
Gasper Hribar
------------------------------