IBM Security QRadar

I've found this documentation online and have looked in the DSM guide but I have not been able to make this work.

https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/t_DSM_guide_MAC_cfg_syslog.html?cp=SS42VS_7.3.2#t_dsm_guide_mac_cfg_syslog

I created a shell script file named /Users/Shared/QRadar/QRadarLogging.sh with this content and have made the script executable

#!/bin/sh
/Users/Shared/QRadar/logStream.pl -H 10.34.102.231

I have also created a .plist file with the content below, made it executable, and copied it to the /Library/LaunchDaemons/ directory (it has the proper XML format in the file but it did not come through here when pasted)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www
.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0">
<dict>
<key>Label</key>
<string>com.USFlogSource.app</string>
<key>Program</key>
<string>/Users/Shared/QRadar/QRadarLogging.sh</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

I believe that the issue is that there is no logStream.pl file. I have searched high and low trying to find what this, what appears to be a perl script, should contain. I have not been able to find it anywhere.

Has anyone out there successfully configured MacOS to send logs to QRadar on MacOS systems that are using the new Unified Logging?

Also looking for any guidance on filtering.

TIA,

Robert

------------------------------
Robert Strom
------------------------------

The script is available on Fix Central http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3-QRADAR-QRSCRIPT-logStream-1.0&includeSupersedes=0&source=fc

------------------------------
Charlie Ma
------------------------------

Original Message:
Sent: Sat November 02, 2019 08:24 PM
From: Robert Strom
Subject: Sending MacOS logs to QRadar

I've found this documentation online and have looked in the DSM guide but I have not been able to make this work.

https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/t_DSM_guide_MAC_cfg_syslog.html?cp=SS42VS_7.3.2#t_dsm_guide_mac_cfg_syslog

I created a shell script file named /Users/Shared/QRadar/QRadarLogging.sh with this content and have made the script executable

#!/bin/sh
/Users/Shared/QRadar/logStream.pl -H 10.34.102.231

I have also created a .plist file with the content below, made it executable, and copied it to the /Library/LaunchDaemons/ directory (it has the proper XML format in the file but it did not come through here when pasted)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www
.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0">
<dict>
<key>Label</key>
<string>com.USFlogSource.app</string>
<key>Program</key>
<string>/Users/Shared/QRadar/QRadarLogging.sh</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

I believe that the issue is that there is no logStream.pl file. I have searched high and low trying to find what this, what appears to be a perl script, should contain. I have not been able to find it anywhere.

Has anyone out there successfully configured MacOS to send logs to QRadar on MacOS systems that are using the new Unified Logging?

Also looking for any guidance on filtering.

TIA,

Robert

------------------------------
Robert Strom
------------------------------

I created the integration as per the URL https://www.ibm.com/docs/en/dsm?topic=x-configuring-syslog-your-apple-mac-os, but there are no macOS logs in QRadar.
Is it possible to verify that correctly created scripts work on macOS (they run correctly and records are sent to QRadar)?

------------------------------
Martin Hansgut
Security Specialist
TOTAL SERVICE a.s.
------------------------------

Original Message:
Sent: Sat November 02, 2019 08:24 PM
From: Robert Strom
Subject: Sending MacOS logs to QRadar

I've found this documentation online and have looked in the DSM guide but I have not been able to make this work.

https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/t_DSM_guide_MAC_cfg_syslog.html?cp=SS42VS_7.3.2#t_dsm_guide_mac_cfg_syslog

I created a shell script file named /Users/Shared/QRadar/QRadarLogging.sh with this content and have made the script executable

#!/bin/sh
/Users/Shared/QRadar/logStream.pl -H 10.34.102.231

I have also created a .plist file with the content below, made it executable, and copied it to the /Library/LaunchDaemons/ directory (it has the proper XML format in the file but it did not come through here when pasted)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www
.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0">
<dict>
<key>Label</key>
<string>com.USFlogSource.app</string>
<key>Program</key>
<string>/Users/Shared/QRadar/QRadarLogging.sh</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

I believe that the issue is that there is no logStream.pl file. I have searched high and low trying to find what this, what appears to be a perl script, should contain. I have not been able to find it anywhere.

Has anyone out there successfully configured MacOS to send logs to QRadar on MacOS systems that are using the new Unified Logging?

Also looking for any guidance on filtering.

TIA,

Robert

------------------------------
Robert Strom
------------------------------