IBM Security QRadar

 View Only
Expand all | Collapse all

Forward logs from ArcSight to Qradar

  • 1.  Forward logs from ArcSight to Qradar

    Posted Mon June 08, 2020 01:43 PM
    Hello all,

    I have an ArcSight Logger in one of our datacenter and I configure this logger to send events to our Qradar we did exactly the same as the video below Arcsight Migration Syslog Redirect.  
    YouTube remove preview
    Arcsight Migration Syslog Redirect
    Link to the Box folder with the index to more QRadar videos: https://ibm.ent.box.com/s/ich0yyiw54y0ek6s9a66xvtjku8e42rc Link to arcsight sample logs https://...
    View this on YouTube >

    see the attached files, The issue now is that all event are Unknown if anyone can  help I will be very grateful
    Regards.

     

    ------------------------------
    cherbani samir
    ------------------------------


  • 2.  RE: Forward logs from ArcSight to Qradar

    Posted Tue June 09, 2020 11:45 AM
    What do the events look like? If they aren't of a type/format that QRadar supports out-of-the-box, you may need to use the DSM Editor to define your own parsing and categorization logi.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 3.  RE: Forward logs from ArcSight to Qradar

    Posted Wed June 10, 2020 07:20 AM
    Hi Colin;

    The event are in the ArcSight CEF format see the example below, sent from a Fortinet Firewall to  the ArcSight Logger and then from the logger to Qradar. I know that Qradar dosn't support ArcSight natevely but in the video I share we can see that Qradar can parse events received from ArcSight
    CEF:0|Fortinet|Fortigate|v.XXX|00013|traffic:forward server-rst|Low| eventId=46125042 type=1 start=1591787473000 app=TCP-8445 proto=TCP in=320 out=480 categorySignificance=/Informational categoryBehavior=/Access categoryDeviceGroup=/Firewall catdt=Network-based IDS/IPS categoryOutcome=/Success categoryObject=/Host/Application/Service art=1591787519718 cat=traffic:forward deviceSeverity=3 act=server-rst rt=1591787509000 src=XX.XX.XX.XX sourceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: XX.XX.XX.XX-XX.XX.XX.XX dst=XX.XX.XX.XX destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: XX.XX.XX.XX.255.255.255 dpt=8445 cnt=8 ahost=test.local agt=XX.XX.XX.XX agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: XX.XX.XX.XX.255.255.255 amac=XX.XX.XX.XX av=7.14.0.8241.0 atz=Europe  at=syslog dvchost=FW-2000APP13 dtz=Europe/ deviceExternalId=XXXXXXX deviceInboundInterface=XXXXX  deviceOutboundInterface=XXXXXX geid=68000615683515951 _cefVer=0.1 aid=\=\=

    ------------------------------
    cherbani samir
    ------------------------------



  • 4.  RE: Forward logs from ArcSight to Qradar
    Best Answer

    Posted Wed June 10, 2020 03:38 PM

    Hi Cherbani,

    Some of our DSMs (parsers) do support parsing CEF format (like Windows, as shown in the video), but the Fortinet one does not. Additionally, based on your screenshots, those events are being routed directly to the "ArcSight Syslog Redirect" log source, which is of type Universal DSM, which can't parse anything without a log source extension being attached. In the video, Jose is using his syslog redirect log source as a "gateway log source", meaning it is a collection/ingress point for event data from many sources and based on the value extracted with its configured regex, it will tag each event with that extracted value as its "source". There needs to be a separate log source with a Log Source Identifier that matches that extracted value, for each possible value. In the video, these "receiver" log sources autodetect because our Windows DSM recognizes the CEF format so they don't need to be manually created.

    In your case, because the events are being routed to the ArcSight Syslog Redirect log source, it means your regex is capturing a value that matches the Log Source Identifier of that same log source.

    So what you should do is change the Log Source Identifier of your gateway log source to something else (it doesn't matter what, since it doesn't need to receive any events itself), then use the DSM Editor to add parsing support for the CEF format to the Fortinet DSM. At that point, because the DSM will now be able to parse and recognize the events, "receiver" log sources of type Fortinet should autodetect for each unique value of the dvc field which you are extracting with the Syslog Redirect gateway.

    Cheers
    Colin



    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 5.  RE: Forward logs from ArcSight to Qradar

    Posted Thu June 11, 2020 07:37 AM
    Hi Colin; 

    First Thank you  very much  for your help, I have one last question please, I have other equipment who send events to my ArcSight Logger (Fortinet FW + Cicso FW + Unix Servers ...) So should I add a parsing support for each type of log source?

    Regards.

    ------------------------------
    cherbani samir
    ------------------------------



  • 6.  RE: Forward logs from ArcSight to Qradar

    Posted Fri June 12, 2020 09:55 AM
    Yes I think you'll need to. Only a relatively small number of DSMs have support for the CEF format. Fortunately the DSM Editor has specialized handling for CEF-formatted events which make it pretty easy to do, no need for regex.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 7.  RE: Forward logs from ArcSight to Qradar

    Posted Fri June 12, 2020 09:58 AM
    Hi Colin,
    I hope you are doing well, I changed the log source identifier but now I don't receive anything from my logger, even if I see a trifc when I do a tcpdump from my qradar ssh session.
    Regards.

    ------------------------------
    cherbani samir
    ------------------------------



  • 8.  RE: Forward logs from ArcSight to Qradar

    Posted Sun June 14, 2020 04:25 AM
    Hi All,

    I am looking for the SOP(Standard Operating Procedure) document adding azure as an event hub in qradar.
    Please let me know the path or a link from where I can download it.

    It's urgent, please reply back!

    _____________________________
    Thanks & Regards

    Zeeshan Khan
    Mob:9606325808







  • 9.  RE: Forward logs from ArcSight to Qradar

    Posted Mon June 15, 2020 12:06 PM
    Hi Zeeshan,

    This doesn't seem related to this thread, but I think this is the link you're looking for: https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_microsoft_azure_overview.html

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 10.  RE: Forward logs from ArcSight to Qradar

    Posted Mon June 15, 2020 12:03 PM
    Hi Cherbani,

    If the log source identifier of the gateway log source no longer matches the value extracted from the dvc field, then the events should now be routed to the separate "receiver" log sources, if they exist. If they don't exist yet, the events would go to the SIM Generic Log log source. Have you done a "Payload Contains" filter search for something you know is in the payloads, like "CEF:0|Fortinet|Fortigate", but no other filters? I'm wondering if the events are in fact still entering your QRadar system, but you aren't seeing them because your search is currently filtering them out.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 11.  RE: Forward logs from ArcSight to Qradar

    Posted Mon June 15, 2020 01:48 PM
    Hi Colin;
     Thank you very much You are right the logs were routed to the separate receiver now my  issue is resolved thank  you very much one more time.
    Warms Regards.

    ------------------------------
    cherbani samir
    ------------------------------