Hi Chinamy,
We are slowly proceeding towards our integration of logdna (which resides in azure cloud) and Qradar and we have selected the option of event hub (Its already created on azure portal in other side). I have asked them the details of the parameters we require for this integration,
- Event hub connection string: This includes a) Event hub name space name , b) Event hub name, c) SAS key name, d) SAS key.
- Consumer Group name : When an Azure Event Hub is created, a $Default consumer group is created. This allows an application using that consumer group to get started and begin reading events.
- Storage account connection string :This includes a) Storage account name, b) Storage account key.
Now I need to understand the communication part. What all ports need to be open from both sides, I need little clarity on this,
I might need to contact my network/communication team, I went through the document and it says below,
"To collect events from Microsoft Azure Event Hubs, you need to create a Microsoft Azure Storage Account and an Event Hub entity under the Azure Event Hub Namespace. For every Namespace, port 5671 and port 5672 must be open.
For every Storage Account, port 443 must be open.
Note: The Microsoft Azure Event Hubs protocol can't connect by using a proxy server.
So I can ask my network team to open ports 5671 and 5672 , do we have another requirements beside this for a successful communication.
Regards
Asif Siddiqui
------------------------------
asif siddiqui
------------------------------
Original Message:
Sent: Fri December 13, 2019 03:34 AM
From: Chinmay Kulkarni
Subject: LogDNA integration with Qradar
@asif siddiqui
Perfect. Hope it helps.
Good luck man.
Needless to say, if you need any help, just let me know :)
------------------------------
Chinmay Kulkarni
Original Message:
Sent: Fri December 13, 2019 12:53 AM
From: asif siddiqui
Subject: LogDNA integration with Qradar
Hi Chinmay,
Thanks for this valuable information in simple language. Now I have something to discuss with clients about the requirements for this integration.
We are currently running QROC (Qradar on cloud) with version v7.3.2.
And yes I do see the "Microsoft Azure event hubs " under protocol configuration when I select "Microsoft Azure platform"
So, manually installing RPMs is not required I guess.
I will check with client which option they have in place (I mean 1) log management system or 2) Azure event hub)
Based on their reply, I will proceed further.
I am going through documentation regarding azure integration with Qradar.
Kind Regards
Asif Siddiqui
------------------------------
asif siddiqui
Original Message:
Sent: Wed December 11, 2019 03:35 AM
From: Chinmay Kulkarni
Subject: LogDNA integration with Qradar
What QRadar version are you using if I may ask? If I am right, it is available since QRadar 7.3.1 or something need to check.
You can go to add a log source and try log source type to be Microsoft Azure or Microsoft Azure platform. Then you can select Microsoft Azure event hubs in the protocol configuration.
If you are on or after this version and still cannot see the protocol, see if you get automatic DSM updates. If not, install it manually. Refer to manually installing RPMs
I would like to describe Azure event hub a bit. It is just a place to store your account. When you have your logs configured to be in the Azure event hub, configure a log source with that event hub and appropriate credentials. QRadar will then pull the logs from that event hub and give you as events. Beware of any firewall changes you need to open communication between QRadar and event hub(Event hub and storage account need different TCP ports to be open). Also make sure that in this case i.e. pulling the logs, the target event collector option in the log source configuration will list the event collector which will actually pull the logs.
Let me know if you have more questions.
------------------------------
Chinmay Kulkarni
Original Message:
Sent: Wed December 11, 2019 12:16 AM
From: asif siddiqui
Subject: LogDNA integration with Qradar
Hi Chinmay,
Thanks a lot for this valuable information. Unfortunately we do not have Splunk or any other log management system implemented in our environment. All log sources like Bigfix, Qualys , service now, I have used apps provided by IBM exchange.
The first option seems feasible , I will check with the concern team about Azure event hub, I have a little silly question here,
When I click on add a log source, why don't I see that in the protocol list in admin tab while If Qradar supports Azure event hub.
Regards
Asif Siddiqui
------------------------------
asif siddiqui
Original Message:
Sent: Tue December 10, 2019 10:23 AM
From: Chinmay Kulkarni
Subject: LogDNA integration with Qradar
Hi @asif siddiqui,
Quickly looked up Azure LogDNA. It implements machine learning to analyze and predict issues with server logs. The first you can do is challenge them on how will it provide any value(apart from generating offences to notify themselves) and the actual use case.
But to integrate this with QRadar(with integrate, I guess getting logs from this Azure service into QRadar), you can use Azure event hubs which is supported by QRadar. You need to ask Azure or any team working with Azure to put the logs into an Azure event hub and then you can pull the logs to your QRadar instance. Another option is if you have log management system like Splunk or elastic, you can first pull into those systems via APIs and then forward to QRadar via syslog protocol.
Let me know if this makes sense.
------------------------------
Chinmay Kulkarni
Original Message:
Sent: Fri December 06, 2019 02:15 AM
From: asif siddiqui
Subject: LogDNA integration with Qradar
Hi All,
We have received a requirement where we need to integrate "logDNA" with Qradar and this logdna resides in Azure cloud. So my question is How we start about this. What all things I would require for this integration, I am completely new for this kind of integration however I have some experience of integrating Bigfix, Qualys, Service now and few windows authentication servers with Qradar.
Any answer would be of great help.
Regards
Asif Siddiqui
------------------------------
asif siddiqui
------------------------------