Hi,
I am working on a customer engagement where we are onboarding log sorces that comes from NXLog agents on windows servers. As it has to pass through another Log Management solution (LogPoint) in JSON format. For that reason I have created a custom JSON parser.
Events are being parsed and mapped as they should. But policies and governance dictate that source ips must be NAT'd so know every event coming in have the same source ip. I have discussed this with a number of people but it is turned down to change this due to the policies and compliance as well as the approved design of the network.
So I see a way of using Reference Data to be able to map hostname that is unchanged in the payload and map it to the original source ip. That will at least help when investigating offenses when using searhes. Rules creation will also be able to make of it.
My question is if anybody has a solid solution to solve this in QRadar? Can we in a smart way work around this issues of having the same source ip for every event coming into QRadar?
Your help and support on this is highly recomended.
Thanks,
Peter Eibak
------------------------------
Peter Eibak
IBM Security Expert Lab
Denmark
eibak@dk.ibm.xom------------------------------