A little work on this.
I have created a new logsource, for this example it is named
housekeeping-script. Its log source identifier is the IP of the Console.
The DSM used is
Universal LEEF for this example.
When I run the following via the CLI
logger -n ConsoleIP -P 514 'LEEF:Version|Vendor|Product|Version|EventID|CLI OUTPUT EXAMPLE'
My output ended up in the
housekeeping-script log source I created.
------------------------------
JH
------------------------------
Original Message:
Sent: Fri July 03, 2020 11:02 AM
From: James Hill
Subject: CustomActionScript output to qradar
I think the issue that @Q SIEM is having, is that logger is being run on Console itself and thus its ended up in Custom Rule Engine-8 :: Console log source.
To work around this I would expect to place the new logsource above Custom Rule Engine-8 :: Console in the Log Source Parsing Order?
Would we run the risk in events falling into this new log source over the system CRE LS?
------------------------------
JH
Original Message:
Sent: Mon May 18, 2020 10:30 AM
From: COLIN HAY
Subject: CustomActionScript output to qradar
Hi Q SIEM,
You can still create a log source for these events, just set the Log Source Identifier to the IP of the system you're running the logger command on. The Custom Rule Engine log source has its LSI to the IP of the QRadar EC/EP/console that it's assigned to, which is why it's currently receiving these events, but with Low level category=Stored, which means they are being stored only but not parsed.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
Original Message:
Sent: Tue April 21, 2020 12:58 AM
From: Q SIEM
Subject: CustomActionScript output to qradar
I would like to syslog or create a qradar event containing the output of a script, so far I have been using logger
command | logger -T -n CollectorIP -t scriptoutput
This works, but the output is included in "Custom Rule Engine Message", Which means I cannot create a log source. I was expecting a 'unknown event'. What are my options?
------------------------------
Q SIEM
------------------------------