IBM Security QRadar

 View Only
  • 1.  Devices stopped sending Events

    Posted Fri January 25, 2019 04:16 AM
      |   view attached

    Hi all,

    we all want to be warned when a log source has stopped sending us logs. In most cases the general rules will be more than enough. But most will recognize the problem of having 2 devices in a High-available setup, where only 1 sends us a constant stream of logs while the other one doesn't. But after a failover it's the other way around (which makes things slightly more complicated). In my case I only want to get an Offense when both of them stopped sending logs (then I know something's wrong)

    The document in attachment explains how to monitor both the devices and only triggers an offense when both of them haven't send me any logs in x amount of time (you can tune this as you like)

    I know I've talked to some people who had the same issue, so I hope this helps!

    Regards,

    Christiaan



    ------------------------------
    christiaan spriet
    ------------------------------

    Attachment(s)

    docx
    DSSE.docx   387 KB 1 version


  • 2.  RE: Devices stopped sending Events

    Posted Fri April 12, 2019 11:18 AM
    Thank you for sharing your document. I must be missing something. For an HA cluster, what limitations will I have by setting this as the rule logic:

    and when the event(s) have not been detected by one or more of FW1 for 3600 seconds
    and when the event(s) have not been detected by one or more of FW2 for 3600 seconds

    ------------------------------
    Biran Patel
    ------------------------------



  • 3.  RE: Devices stopped sending Events

    Posted Mon April 15, 2019 08:47 AM
    Do you have a QRadar HA license on the second appliance? D1RS0LL  (IBM QRadar High Availability Software Install License + SW Subscription & Support 12 Months) ? It is required licensing for HA set up.

    Is the HA side By side or in 2 distinct Data Centers?  If 2 different locations that is DR not HA in QRadar Licensing.

    If that is the case did you purchase DR license?

    ------------------------------
    Richard Gingras
    QRadar SME
    IBM Security
    Cambridge MA
    ------------------------------



  • 4.  RE: Devices stopped sending Events

    Posted Mon April 15, 2019 05:21 PM
    Hi Richard,

    @christiaan spriet and @Biran Patel are talking about a HA cluster feeding their logs to Qradar. It could be a FW cluster, a LB cluster. It's not about the Qradar HA cluster itself.

    Chirstiaan is saying that the basic surveillance of the sources is "ok" in most cases.
    Refs.:
    https://www-01.ibm.com/support/docview.wss?uid=swg21991768
    https://www-01.ibm.com/support/docview.wss?uid=swg21981697

    However, in a cluster environment where only one system is logging while the other ones are in standby, we get false positives alerts. The ones on standby do not produce enough logs and the triggers go off.

    Christiaan is giving a very good workaround solution to the community, because I've tested the basic rule conditions provided by Qradar, which are:

    1.       when the event(s) have not been detected by one or more of these log sources for this many seconds
    2.       when the event(s) have not been detected by one or more of these log source types for this many seconds
    3.       when the event(s) have not been detected by one or more of these log source groups for this many seconds

    and none of them can provide an accurate surveillance of a cluster. In these "rule conditions", log sources are looked at individually. Therefor, the work shared by Christiaan comes in handy.

    Thanks!

    ------------------------------
    Anthony Gayadeen
    ------------------------------