When Disconnected Log Collectors (DLCs) need to make outbound connections to the internet to send data to a QRadar deployment hosted elsewhere—such as QRadar on Cloud, customer-owned QRadar instance running in a cloud provider like Azure, or an MSSP-owned QRadar deployment—there are often policies requiring this outbound traffic to pass through a non-transparent web proxy. Historically, this was not an option, but now the DLC can be configured to tunnel its TLS traffic through a standard web proxy. This also enables you to control the outgoing connections from a physical or virtual server or device where the Disconnected Log Collector (DLC) is installed and running. This update is a game-changer for our customers. It's likely opened the doors for some to start using DLCs for the first time, while making life easier for others by removing the need to navigate special corporate policies for deployment.
Another major improvement is the ability to install Connectors as separate RPMs (RedHat Package Managers). This allows you to add new Connectors (protocols) as soon as they become available for DLC, without waiting for a new DLC version release. It also streamlines addressing security vulnerabilities in Connectors, as updates can be applied individually when the protocol team releases a new version with the necessary fixes.
Proxy Server Requirements
Ensuring smooth communication is key! Your proxy server needs a direct line to the QRadar host and the DLC listen port (which usually defaults to 32500 but can be adjusted). It's crucial to configure the proxy to permit connections to this port. Keep in mind that some proxies only greenlight connections to standard web, FTP, etc., ports by default. But don't worry, even though the DLC's traffic to QRadar isn't standard web traffic (though it can be tunneled through a web proxy), it uses a non-standard port. Just make sure your proxy settings accommodate this unique need.
TLS Proxy Communication
For secure communication, utilize the TLS proxy. This ensures that data transmitted between the IBM Disconnected Log Collector and QRadar SIEM is encrypted and secure. The Disconnected Log Collector supports basic authentication for proxy authentication, simplifying the configuration process while maintaining security standards.
Configuration Process
With version 1.8.5 in the picture, the Disconnected Log Collector now includes a Proxy section within the config.json file. This file allows administrators to configure the necessary proxy settings during installation or upgrade. Detailed guidance on configuring TLS proxy communication with QRadar can be found in the official documentation: Configuring TLS proxy communication with QRadar.
In the following example, the structure of the config.json file is depicted along with the default values.
"Proxy": {
"proxy.description":"",
"proxy.enabled":"false",
"proxy.ip":"",
"proxy.port":"",
"proxy.username":"",
"proxy.password":""
}
Note: Proxy settings are only applicable to destination type TLS. It is not applicable to destination type Kafka or UDP.
The following steps will guide you on setting up the TLS proxy communication with QRadar:
- Firstly, you would need to change the value of the proxy.enabled parameter to true.
- Enter IP address of your proxy server in the proxy.ip parameter.
- The proxy.port parameter should be the port configured to receive connections on the proxy server.
- Providing a proxy username and password are not required if the proxy does not have authentication enabled, but it is recommended to do so as a good security practise.
- Next, enter your username in the proxy.username parameter identical to your proxy server username.
- For the proxy.password parameter you need to follow the following steps:
-
-
- Enter the proxy password in plaintext.
- Copy the encrypted password that is displayed and paste it onto the proxy.password parameter.
Conclusion
Proper configuration of proxy settings is vital for ensuring uninterrupted communication between the Disconnected Log Collector and QRadar, especially when operating behind a corporate firewall. By following the outlined steps and utilising the provided resources, administrators can achieve a secure and efficient setup.