IBM Security QRadar

 View Only
  • 1.  Load logs to Qradar

    Posted Fri June 21, 2019 10:19 AM
    Hi
    I'm triying to load some logs from a txt archive to qradar, does someone know how can i do that?
    I want to try parse some logs from a unsupported platform with the DSM editor in my test enviroment

    Thanks for the help

    ------------------------------
    Johan López
    ------------------------------


  • 2.  RE: Load logs to Qradar

    Posted Mon June 24, 2019 01:53 AM
    Is this windows or Linux?  
    One silly way to do this. 

    Load the file on an EP, and point the FTP DSM at it. Or if windows use the WinCollect windows file method.

    ------------------------------
    Charles Senne
    ------------------------------



  • 3.  RE: Load logs to Qradar

    Posted Mon June 24, 2019 06:54 AM
    It looks like you could use the /opt/qradar/bin/logrun.pl

    logrun.pl [-d <host>] [-p <port>] [-f filename] [-u <IP>] [-l] [-t] [-b] [-n NAME] [-v] <messages per second>
    Options:
    -d : destination syslog host (default 127.0.0.1)
    -p : destination port (default 514)
    -f : filename to read (default readme.syslog)
    -b : burst the same message for 20% of the delay time
    -t : use TCP instead of UDP for sending syslogs
    -v : verbose, display lines read in from file
    -n : use NAME for object name in syslog header
    -l : loop indefinately
    -u : use this IP as spoofed sender (default is NOT to send IP header)

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 4.  RE: Load logs to Qradar

    Posted Fri July 12, 2019 01:23 AM
    Hi,
    as mentioned, "/opt/qradar/bin/logrun.pl" is the way to go on your test environment. I use it all the time. Don't forget to use the loop option, it will keep feeding your test environment while you're integrating the logs with the dsm editor.

    Once your extractions are all good in test, download the LSX created from your dsm editor (xml file you will find in Admin > Log Sources Extensions), and load it on your production server. You won't need to play with your dsm editor on your production except for creating the log source type and setting your newly added LSX as default for this log source type.

    Regards,


    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------



  • 5.  RE: Load logs to Qradar

    Posted Fri July 12, 2019 04:39 PM
    Thanks for the help, it was really useful, but i have a question
    Does that xml download the event mappings that i create with the DSM too?

    ------------------------------
    Johan López
    ------------------------------



  • 6.  RE: Load logs to Qradar

    Posted Mon July 15, 2019 11:47 AM

    Hi Johan,
    yes, the xml will contain all the mapping you've configured in your lab. You won't need to manually redo everything in production by uploading this file. It will save you time and minimize risks of errors.
    But like I said, you'll still need to at least create your Log source Type on you prod environment.



    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------



  • 7.  RE: Load logs to Qradar

    Posted Tue July 16, 2019 04:31 PM
    Hi Johan,
    I was wrong, when you import the LSX xml, it's only the parsing (extraction) that is being imported. You'll need to map your events again in your production environement. My bad, I haven't done this in a while. I realized my mistake when tried it on my system a few moments ago. I don't see anyway of importing your mapping from another system. I just hope you don't have to many ;)

    Regards,

    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------



  • 8.  RE: Load logs to Qradar

    Posted Tue July 16, 2019 04:51 PM
    you could look into contentManagement.pl to search, export and import
    only specific entities. If it s short list I'd probably choose to redo
    the extractions as well however.