IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  New: IBM QRadar App For Splunk Data Forwarding v1.0.0

    Posted Fri September 21, 2018 01:28 PM
    IBM QRadar App For Splunk Data Forwarding allows you to forward events from your Splunk Deployment to QRadar. Simply enter the IP of your Splunk instance, discover what data your Splunk instance is collecting, and then point and click to start forwarding your data to QRadar, enabling more security use cases. The app works with both the universal forwarder and heavy forwarder.


    Download the new app from App Exchange.

    ------------------------------
    Ciara Kennedy
    ------------------------------


  • 2.  RE: New: IBM QRadar App For Splunk Data Forwarding v1.0.0

    Posted Sun January 20, 2019 01:07 AM
    Hi Ciara,

    I must warn you about the splunk forwader, because it hides some issues that just a few people know.

    First, if you decide to use the forwader with the UDP protocol to forward to Qradar, you'll have a surprise. When set with UDP, the forwader adds an extra header before the log is sent. Therefore, if your log already had an header, then Qradar won't be able to parse the double header it receives. The splunk forwarder is not built like Qradar's forwarder. It doesn't check if the log already contains a header. It just adds one without any validation.

    Secondly, if you use TCP protocol, then you've put splunk in trouble. The forwader sends the data to its indexers at the same time it forwards to Qradar. So in TCP, if Qradar stop responding, let's say it's restarting, then splunk will pause indexing and forwarding until Qradar is back online. That means that it's not sending the logs to its indexers during this time. Eventually, the splunk queue overflows, and data is lost. True story. As of today, January 20th, this is still a serious issue.

    I know, this seems crazy, but it's how it works. We've open a ticket with splunk, and they're not doing anything about it. We've came out with a workaround, since splunk's forwader is too primitive.

    I know you've developp this App, because a lot of Qradar clients asked for it, but it's quite risky. Unfortunately, my employer doesn't allow me to talk about our workaround solution. However, I will try to get approval. If I do, I'll be back to show you the best way to transfer logs from splunk to Qradar safely.

    Regards,

    ------------------------------
    Anthony Gayadeen
    ------------------------------



  • 3.  RE: New: IBM QRadar App For Splunk Data Forwarding v1.0.0

    Posted Mon February 11, 2019 07:42 AM
    Edited by Artur Gazda Mon February 11, 2019 07:42 AM
    Hi,

    Are there any updates on this topic?
    I tried to integrate Splunk with QRadar using this App but I am facing the mentioned issue with the extra header.
    The Log Source can't be autodiscovered and the events can't be parsed.

    Also, do I still need the App if Splunk is configured manually to forward events to QRadar?
    Do I need the App to discover the Log Source correctly?

    Regards,


    ------------------------------
    Artur Gazda
    ------------------------------



  • 4.  RE: New: IBM QRadar App For Splunk Data Forwarding v1.0.0

    Posted Mon February 11, 2019 06:02 PM
    Hi Artur,
    no update so far. Not on my side.

    To avoid all the issues I mentioned, you must use syslog-ng services on each splunk index server. We first tried with rsyslog, but it kept losing pakets. Syslog-NG could handle the load we were throwing at it, so we kept it.

    Basically, each indexers must send a copy to its respective syslog-ng on the same server, then this process forwards the log to Qradar over TCP or UDP. And Yes, the log sources are still processed correctly, however you will not have the good source IP in every log.

    In Qradar, when the source IP is not present in the log message, it's grabbed from the server sending the log. This mean that you will find yourself with slpunk IPs as source IP very often in the logs. It's the same issue for destination IP. You got to keep this in mind.

    Thanks.

    ------------------------------
    Anthony Gayadeen
    ------------------------------