Hi QRadar Community!
Recently one of our Community Members, Michael Richards, did a proof of concept for an integration between QRadar and JBoss (an application server). Mike’s guidance sets a baseline for ingesting (protocol) and parsing (DSM) JBoss logs.
See below for Michael’s tips on integrating QRadar and JBoss.
Check it out!
Thanks, Mike :-)
Please note that this integration is not supported by IBM at this time.
---------------------------------
Context:
JBoss is an application server that was previously bought by RedHat and has extensive, well - defined documentation on how to: (1) configure the service on a RHEL base VM, and (2) also configure logging to a third party location:
Steps:
- Ensure you have a RHEL server 7.2+, and the JBoss 10 installer of your choice to follow along with the installation. If you choose the jar or RPM installer, make sure you have Java installed as well.
- Follow the configuration guide to get JBoss to its default installation. Mike opted for the Java installer method and set about installing JBoss 10. Upon reaching the end of the setup steps, review the documentation for logging to an external service here: https://access.redhat.com/solutions/268783.
The documentation advocates for the usage of RSyslog for logging. JBoss writes logs locally and RSyslog monitors those logfiles and then forwards them when required. There is comprehensive documentation on how to configure this for two types of logging: (1) Default logging (Syslog-handler configuration); and (2) Custom logging https://access.redhat.com/solutions/1276813). Mike leveraged the default logging for his integration.
- The RSyslog setup is really simple - you just need to install the service, enable UDP (or TCP, which Mike used for his testing,and it worked as well), and if you used the values defined in the documentation, namely
- <property name="SyslogHost" value="localhost"/>
- <property name="Facility" value="LOCAL6"/>
Then add the logfile to the list of files to monitor with:
- local6.* /var/log/jboss/jboss.log
You should then have completed all of the setup required.
At this point, anything above your indicated log level should be forwarded into your QRadar instance! Congratulations! Mike recommends going no lower than the logging level ‘INFO’ at this point, since the service can be quite chatty, especially with a lot of traffic hitting the server.
At this point, Mike was seeing logs in QRadar and so he wrapped up his initial investigation here.
Other thoughts from Mike - Some things you might want to start looking into at this point are:
- RSyslog filtering capabilities: Use these to ensure that only the information you want to send is forwarded to QRadar. This cuts down on potential unknown QIDs, conserves EPS, and will have less strain on any custom DSM parsing you need to write. This is especially important if you are using a regex - heavy format.
- Building a custom DSM to parse: To gain valuable insights from this data. Check out the following links for more information:
- Using a Custom Handler in the JBoss configuration: This allows you to format the logs in any way you'd like, and could even format them to match common format types that facilitate the development of custom DSMs, such as LEEF.
- Custom Handler Guide: https://access.redhat.com/solutions/1276813
---------------------------------
Thanks Again, Mike!!
Are you going to give it a try? If so, let me know how it goes! Please feel free to reach out to me directly (wendy.willner@ibm.com).