IBM Security QRadar

 View Only

  • 1.  Telnet host from QRadar

    Posted Wed July 31, 2019 09:16 AM
    Hello Team

    Hello Group

    I have installed and Configure IBM QRadar. After that i have configure Network Hierarchy then i have configure Log source and last i have add window Server 2012 and   Linux OS in Assets . Also i have configure rsyslog  config on Linux OS and winCollect on window machine. But still i didn't see any window or Linux Log in my Log Activity.

    But when i have try to telnet then window machine its give me error "no route to host" while i have off the firewall of window machine also i have run the "tcpdump " command .


    ------------------------------
    Irfan Ullah
    ------------------------------


  • 2.  RE: Telnet host from QRadar

    Posted Thu August 01, 2019 02:40 AM
    Hi,
    On Windows Machine for testing purposes i wo​uld  turn on auditing because i generates massive amount of log.
    On WIndows machine Check C:\Program Files\IBM\WinCollect\logs for errors
    Check the connectivity between wincollect and qradar https://QRadarIPAddress:84137 - if it works "You will get Your connection is not secure" - message
    On Qradar CLI - netstat -tulnp | grep 8413 - You will get something like this -

    tcp6 0 0 :::8413 :::* LISTEN 22026/java
    On Qradar console check Admin - Data Sources- Wincollect - there is Your status of agent - IF IT'S installed as managed agent - You won't se standalone agent there.
    On Log source - check Wincollect agent  if  You selected the right one
    On Log Sources Target Internal Destination - if is is default it will say evencollector0 :: qradar - Check that You have the right on Wincollect agent in config file.
    Online there is the document QRadar Support 101: Wincollect Troubleshooting - don't have the link sorry
    This is for the Windows.
    For Linux check if the syslog is configured properly  
    This is the link : https://www-01.ibm.com/support/docview.wss?uid=swg21674902 QRadar: Using the command-line to troubleshoot a syslog event source

    Regards,

    Vedran Goricki
     



     



    ------------------------------
    Vedran Goricki
    ------------------------------

    Original Message


  • 3.  RE: Telnet host from QRadar

    Posted Fri August 02, 2019 12:08 AM
    Hi Irfan,
    on your linux box, you should tcpdump and check what's going out, and on your Qradar box you should also use tcpdump to see what is arriving. This way, you'll know where it's blocked.

    On sender side: # tcpdump -nnA dst <ip_of_recipient> and dst port 514
    On receiver side: # tcpdump -nnA src <ip_of_sender> and dst port 514

    For windows and wincollect, usually you'll get a message in your admin section asking to deploy to integrate the newly connected wincollect agent. Although, I suggest going through the documents Vedran mentionned => https://www.ibm.com/community/qradar/home/wincollect/
    You'll find all the info about wincollect.

    Regards,​​

    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------

    Original Message