Hi Richard,
@christiaan spriet and @Biran Patel are talking about a HA cluster feeding their logs to Qradar. It could be a FW cluster, a LB cluster. It's not about the Qradar HA cluster itself.
Chirstiaan is saying that the basic surveillance of the sources is "ok" in most cases.
Refs.:
https://www-01.ibm.com/support/docview.wss?uid=swg21991768https://www-01.ibm.com/support/docview.wss?uid=swg21981697However, in a cluster environment where only one system is logging while the other ones are in standby, we get false positives alerts. The ones on standby do not produce enough logs and the triggers go off.
Christiaan is giving a very good workaround solution to the community, because I've tested the basic rule conditions provided by Qradar, which are:
1. when the event(s) have not been detected by one or more of these log sources for this many seconds
2. when the event(s) have not been detected by one or more of these log source types for this many seconds
3. when the event(s) have not been detected by one or more of these log source groups for this many seconds
and none of them can provide an accurate surveillance of a cluster. In these "rule conditions", log sources are looked at individually. Therefor, the work shared by Christiaan comes in handy.
Thanks!
------------------------------
Anthony Gayadeen
------------------------------
Original Message:
Sent: Mon April 15, 2019 08:47 AM
From: Richard Gingras
Subject: Devices stopped sending Events
Do you have a QRadar HA license on the second appliance? D1RS0LL (IBM QRadar High Availability Software Install License + SW Subscription & Support 12 Months) ? It is required licensing for HA set up.
Is the HA side By side or in 2 distinct Data Centers? If 2 different locations that is DR not HA in QRadar Licensing.
If that is the case did you purchase DR license?
------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA
Original Message:
Sent: Fri April 12, 2019 11:18 AM
From: Biran Patel
Subject: Devices stopped sending Events
Thank you for sharing your document. I must be missing something. For an HA cluster, what limitations will I have by setting this as the rule logic:
and when the event(s) have not been detected by one or more of FW1 for 3600 seconds
and when the event(s) have not been detected by one or more of FW2 for 3600 seconds
------------------------------
Biran Patel
Original Message:
Sent: Fri January 25, 2019 04:16 AM
From: christiaan spriet
Subject: Devices stopped sending Events
Hi all,
we all want to be warned when a log source has stopped sending us logs. In most cases the general rules will be more than enough. But most will recognize the problem of having 2 devices in a High-available setup, where only 1 sends us a constant stream of logs while the other one doesn't. But after a failover it's the other way around (which makes things slightly more complicated). In my case I only want to get an Offense when both of them stopped sending logs (then I know something's wrong)
The document in attachment explains how to monitor both the devices and only triggers an offense when both of them haven't send me any logs in x amount of time (you can tune this as you like)
I know I've talked to some people who had the same issue, so I hope this helps!
Regards,
Christiaan
------------------------------
christiaan spriet
------------------------------