IBM Security QRadar

 View Only
  • 1.  Redirect incoming traffic

    Posted Fri July 24, 2020 11:05 AM
    Hi All,
    Is there a option to redirect syslog coming in 514 port to a different port(i want to route to 12468 port) for a particular source IP?

    Is there any configuration i can do in Log Source , Routing rules or forwarding destination in the QRadar UI to achieve the same?

    I basically want to combine multi-line logs coming from Cisco ESA(UDP on dport 514) to redirect to dport 12468(TCP multi-line syslog).

    Thanks,
    Jabez

    ------------------------------
    Jabez Daniel
    ------------------------------


  • 2.  RE: Redirect incoming traffic

    Posted Mon July 27, 2020 04:35 AM
    Forwarding destinations can be used to redirect payload to a different port .
    However, as I recall reading somewhere, for Cisco ESA you would probably need several steps to achieve what you want :
    * create a custom log source (maybe based on the type identifier) and map them to something so they are not unknown/stored
    * use routing rules to redirect this to created forwarding destination (use the "Prefix a syslog header..." option - as the header is probably not RFC compliant)
    * create TCP multiline log source (use selected TCP port you redirected to)  to serve as a gateway log source (you should define aggregation type and pattern there)
    * create needed log source (using Source Name Formatting string defined in the gateway log source as log source identifier for this one)
    I think many had encountered challenges with Cisco ESA logging. I had noticed release notes for Async OS 13 mentioning support for CEF format via syslog, so if you have the option to update the source you could probably avoid some headache.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: Redirect incoming traffic

    Posted Mon July 27, 2020 06:59 AM

    Hi,

    Forwarding destination and routing rules  are used to forward any log from QRadar to other destination.

    Here is the documentation of using TCP multi line syslog
    https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_logsource_TCPmultiprotocol.html

    UDP multi line syslog
    https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_logsource_UDPmultiprotocol.html
    FOr Cisco ESA, please check the DSm guide for Cisco Ironport

    https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_cisco_ironport_overview.html?cp=SS42VS_7.4.0



    ------------------------------
    IKHTEAR BHUYAN
    ------------------------------



  • 4.  RE: Redirect incoming traffic

    Posted Mon July 27, 2020 08:44 AM

    I wonder if this is what you're looking for:
    https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/t_dsm_guide_SunOneLDAP_IPTablecfg.html?cp=SS42VS_7.3.2

    Of course change the port from 517...

     

    David Broggy, CISSP,GCIH

    Senior Security Consultant

    m: +1 204.294.0083

     

    signature_2117206711

     

    www.trustwave.com

     

    Recognized by industry analysts as a leader in Incident Readiness, Response, and Resiliency Services

    Are you experiencing a security incident? Click here, SpiderLabs Incident Response team is ready to help!

     

    This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.





  • 5.  RE: Redirect incoming traffic

    Posted Mon July 27, 2020 10:03 AM
    I think David Broggy has provided the best answer. You can use routing rules to forward the single-line parts of the multiline events to port 12468 for multiline recombination, but to avoid storing duplicate data (and the extra hit to your EPS license, you'd also want to drop the original single-line part. But it would be easier (and you don't incur the computational cost of the routing rule) just to redirect the data at the iptables level, before it even gets into the QRadar event pipeline. The link David provided provides the instructions for doing this kind of iptables redirect properly.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------