QRadar XDR

  • 1.  VMware vCenter Log Source Integration

    Posted Tue September 21, 2021 04:33 AM
    Hi Qradar Community,

    I just wanted to add my VMware vSphere vCenter 7.0 to Qradar 7.4 by following the provided instructions by IBM: https://www.ibm.com/docs/en/dsm?topic=vmware-vcenter

    One of my colleagues created a read only account on vcenter as described by VMware: https://www.ibm.com/docs/en/dsm?topic=esxi-configuring-read-only-account-permissions

    Unfortunately I am getting an error message on qradar log source management: "Invalid Credentials when initializing EMCVmWareProtocol"

    The credentials are valid because i could directly login to the VMware vcenter web client.


    I found a thread on reddit where someone mentioned that vcenter 7.0 is not supported: https://www.reddit.com/r/QRadar/comments/ic2lkx/vsphere_server_events_in_qradar/
    Unfortunately I didn't find an official statement by IBM or a documentation where the vsphere version is mentioned.


    Does someone have any advice to successfully integrate VMware vCenter 7.0 into Qradar?


    ------------------------------
    jan4401
    ------------------------------


  • 2.  RE: VMware vCenter Log Source Integration

    Posted Wed September 22, 2021 07:52 AM

    Hi Jan. I think it may be due to the issue described under APARIJ31531 (VMware SSO expects only FQDN and you need to put an IP of the vCenter instance). Last time I checked on https://www.ibm.com/community/qradar/home/apars/ this APAR was still shown as OPEN.

    I recall hitting a similar issue last year in my lab.  However, some time afterwards it started working. I have vCenter's FQDN as log source identifier and I made sure that the forward and reverse DNS queries from my QRadar instance work properly.



    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: VMware vCenter Log Source Integration

    Posted Thu September 23, 2021 04:45 AM
    Hi Dusan,

    thanks for the answer.
    Unfortunately changing the log source identifier did not fix my problem :/.

    Best Regards
    Jan

    ------------------------------
    jan4401
    ------------------------------