IBM QRadar

Hi Qradar Community,

I just wanted to add my VMware vSphere vCenter 7.0 to Qradar 7.4 by following the provided instructions by IBM: https://www.ibm.com/docs/en/dsm?topic=vmware-vcenter

One of my colleagues created a read only account on vcenter as described by VMware: https://www.ibm.com/docs/en/dsm?topic=esxi-configuring-read-only-account-permissions

Unfortunately I am getting an error message on qradar log source management: "Invalid Credentials when initializing EMCVmWareProtocol"

The credentials are valid because i could directly login to the VMware vcenter web client.


I found a thread on reddit where someone mentioned that vcenter 7.0 is not supported: https://www.reddit.com/r/QRadar/comments/ic2lkx/vsphere_server_events_in_qradar/
Unfortunately I didn't find an official statement by IBM or a documentation where the vsphere version is mentioned.


Does someone have any advice to successfully integrate VMware vCenter 7.0 into Qradar?

------------------------------
jan4401
------------------------------

Hi Jan. I think it may be due to the issue described under APARIJ31531 (VMware SSO expects only FQDN and you need to put an IP of the vCenter instance). Last time I checked on https://www.ibm.com/community/qradar/home/apars/ this APAR was still shown as OPEN.

I recall hitting a similar issue last year in my lab.  However, some time afterwards it started working. I have vCenter's FQDN as log source identifier and I made sure that the forward and reverse DNS queries from my QRadar instance work properly.

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Tue September 21, 2021 04:32 AM
From: jan4401
Subject: VMware vCenter Log Source Integration

Hi Qradar Community,

I just wanted to add my VMware vSphere vCenter 7.0 to Qradar 7.4 by following the provided instructions by IBM: https://www.ibm.com/docs/en/dsm?topic=vmware-vcenter

One of my colleagues created a read only account on vcenter as described by VMware: https://www.ibm.com/docs/en/dsm?topic=esxi-configuring-read-only-account-permissions

Unfortunately I am getting an error message on qradar log source management: "Invalid Credentials when initializing EMCVmWareProtocol"

The credentials are valid because i could directly login to the VMware vcenter web client.


I found a thread on reddit where someone mentioned that vcenter 7.0 is not supported: https://www.reddit.com/r/QRadar/comments/ic2lkx/vsphere_server_events_in_qradar/
Unfortunately I didn't find an official statement by IBM or a documentation where the vsphere version is mentioned.


Does someone have any advice to successfully integrate VMware vCenter 7.0 into Qradar?

------------------------------
jan4401
------------------------------

Hi Dusan,

thanks for the answer.
Unfortunately changing the log source identifier did not fix my problem :/.

Best Regards
Jan

------------------------------
jan4401
------------------------------

Original Message:
Sent: Wed September 22, 2021 07:51 AM
From: Dusan VIDOVIC
Subject: VMware vCenter Log Source Integration

Hi Jan. I think it may be due to the issue described under APARIJ31531 (VMware SSO expects only FQDN and you need to put an IP of the vCenter instance). Last time I checked on https://www.ibm.com/community/qradar/home/apars/ this APAR was still shown as OPEN.

I recall hitting a similar issue last year in my lab.  However, some time afterwards it started working. I have vCenter's FQDN as log source identifier and I made sure that the forward and reverse DNS queries from my QRadar instance work properly.

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Tue September 21, 2021 04:32 AM
From: jan4401
Subject: VMware vCenter Log Source Integration

Hi Qradar Community,

I just wanted to add my VMware vSphere vCenter 7.0 to Qradar 7.4 by following the provided instructions by IBM: https://www.ibm.com/docs/en/dsm?topic=vmware-vcenter

One of my colleagues created a read only account on vcenter as described by VMware: https://www.ibm.com/docs/en/dsm?topic=esxi-configuring-read-only-account-permissions

Unfortunately I am getting an error message on qradar log source management: "Invalid Credentials when initializing EMCVmWareProtocol"

The credentials are valid because i could directly login to the VMware vcenter web client.


I found a thread on reddit where someone mentioned that vcenter 7.0 is not supported: https://www.reddit.com/r/QRadar/comments/ic2lkx/vsphere_server_events_in_qradar/
Unfortunately I didn't find an official statement by IBM or a documentation where the vsphere version is mentioned.


Does someone have any advice to successfully integrate VMware vCenter 7.0 into Qradar?

------------------------------
jan4401
------------------------------