Hello,

We are using the ISAM Remote syslog forwarding setting (https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/admin/task/tsk_rsyslog_forwarder.html) to send the WRP requestlog to IBM Qradar.

QRadar is getting our logs now as configured as a Linux OS log source but its not optimal but works for now.

Was wondering if there is someone here with experience how to set it up correctly at the QRadar side? The QRadar documentation does only have DSM Configuration for ISAM for mobile and ISAM for ESSO but those doesnot work with our current configuration.

Best regards
Magnus

------------------------------
Magnus
------------------------------

Hi Magnus,

I believe there is a DSM (rpm) called IBM Tivoli Access Manager for e-business.  Can you check if that one is installed?
If memory serves me right (and I'll try to check on a QRadar system in my lab), it should autodiscover log sources that are from the 'audit' type. (generally what you're interested in from a SIEM perspective)

For request.log parsing, you'll probably need to create your custom parser.  I believe the following blog post is still relevant - https://www.ibm.com/blogs/sweeden/introduction-to-qradar-log-management-for-webseal-administrators/

Hope that helps.


------------------------------
HANS VANDEWEGHE
------------------------------

Original Message:
Sent: Wed January 22, 2020 08:23 AM
From: Magnus
Subject: ISAM log forwarding to IBM Qradar

Hello,

We are using the ISAM Remote syslog forwarding setting (https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/admin/task/tsk_rsyslog_forwarder.html) to send the WRP requestlog to IBM Qradar.

QRadar is getting our logs now as configured as a Linux OS log source but its not optimal but works for now.

Was wondering if there is someone here with experience how to set it up correctly at the QRadar side? The QRadar documentation does only have DSM Configuration for ISAM for mobile and ISAM for ESSO but those doesnot work with our current configuration.

Best regards
Magnus

------------------------------
Magnus
------------------------------

Hi,

I mananged to setup log forwadring to QRadar but it is failing on the ISAM side when I try to add WebSEAL as the source (See image below). I have selected the instance but it LMI keeps showing that screen and not saving the settings. What could be causing this?


------------------------------
Ntokozo Mkhonza
------------------------------

Original Message:
Sent: Wed January 22, 2020 08:50 AM
From: HANS VANDEWEGHE
Subject: ISAM log forwarding to IBM Qradar

Hi Magnus,

I believe there is a DSM (rpm) called IBM Tivoli Access Manager for e-business.  Can you check if that one is installed?
If memory serves me right (and I'll try to check on a QRadar system in my lab), it should autodiscover log sources that are from the 'audit' type. (generally what you're interested in from a SIEM perspective)

For request.log parsing, you'll probably need to create your custom parser.  I believe the following blog post is still relevant - https://www.ibm.com/blogs/sweeden/introduction-to-qradar-log-management-for-webseal-administrators/

Hope that helps.


------------------------------
HANS VANDEWEGHE

Original Message:
Sent: Wed January 22, 2020 08:23 AM
From: Magnus
Subject: ISAM log forwarding to IBM Qradar

Hello,

We are using the ISAM Remote syslog forwarding setting (https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/admin/task/tsk_rsyslog_forwarder.html) to send the WRP requestlog to IBM Qradar.

QRadar is getting our logs now as configured as a Linux OS log source but its not optimal but works for now.

Was wondering if there is someone here with experience how to set it up correctly at the QRadar side? The QRadar documentation does only have DSM Configuration for ISAM for mobile and ISAM for ESSO but those doesnot work with our current configuration.

Best regards
Magnus

------------------------------
Magnus
------------------------------

It requires a Log File, but seems this is greyed out for you.
Is this ISVA on Docker or as Appliance? Does the 'default' WebSEAL instances actually exist (on this appliance)?

------------------------------
HANS VANDEWEGHE
------------------------------

Original Message:
Sent: Fri April 09, 2021 08:06 AM
From: Ntokozo Mkhonza
Subject: ISAM log forwarding to IBM Qradar

Hi,

I mananged to setup log forwadring to QRadar but it is failing on the ISAM side when I try to add WebSEAL as the source (See image below). I have selected the instance but it LMI keeps showing that screen and not saving the settings. What could be causing this?


------------------------------
Ntokozo Mkhonza

Original Message:
Sent: Wed January 22, 2020 08:50 AM
From: HANS VANDEWEGHE
Subject: ISAM log forwarding to IBM Qradar

Hi Magnus,

I believe there is a DSM (rpm) called IBM Tivoli Access Manager for e-business.  Can you check if that one is installed?
If memory serves me right (and I'll try to check on a QRadar system in my lab), it should autodiscover log sources that are from the 'audit' type. (generally what you're interested in from a SIEM perspective)

For request.log parsing, you'll probably need to create your custom parser.  I believe the following blog post is still relevant - https://www.ibm.com/blogs/sweeden/introduction-to-qradar-log-management-for-webseal-administrators/

Hope that helps.


------------------------------
HANS VANDEWEGHE

Original Message:
Sent: Wed January 22, 2020 08:23 AM
From: Magnus
Subject: ISAM log forwarding to IBM Qradar

Hello,

We are using the ISAM Remote syslog forwarding setting (https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/admin/task/tsk_rsyslog_forwarder.html) to send the WRP requestlog to IBM Qradar.

QRadar is getting our logs now as configured as a Linux OS log source but its not optimal but works for now.

Was wondering if there is someone here with experience how to set it up correctly at the QRadar side? The QRadar documentation does only have DSM Configuration for ISAM for mobile and ISAM for ESSO but those doesnot work with our current configuration.

Best regards
Magnus

------------------------------
Magnus
------------------------------

The log is grayed, yes.

We running ISVA on GCP Kubernetes and yes the default instance exist.

------------------------------
Ntokozo Mkhonza
------------------------------

Original Message:
Sent: Fri April 09, 2021 08:18 AM
From: HANS VANDEWEGHE
Subject: ISAM log forwarding to IBM Qradar

It requires a Log File, but seems this is greyed out for you.
Is this ISVA on Docker or as Appliance? Does the 'default' WebSEAL instances actually exist (on this appliance)?

------------------------------
HANS VANDEWEGHE

Original Message:
Sent: Fri April 09, 2021 08:06 AM
From: Ntokozo Mkhonza
Subject: ISAM log forwarding to IBM Qradar

Hi,

I mananged to setup log forwadring to QRadar but it is failing on the ISAM side when I try to add WebSEAL as the source (See image below). I have selected the instance but it LMI keeps showing that screen and not saving the settings. What could be causing this?


------------------------------
Ntokozo Mkhonza

Original Message:
Sent: Wed January 22, 2020 08:50 AM
From: HANS VANDEWEGHE
Subject: ISAM log forwarding to IBM Qradar

Hi Magnus,

I believe there is a DSM (rpm) called IBM Tivoli Access Manager for e-business.  Can you check if that one is installed?
If memory serves me right (and I'll try to check on a QRadar system in my lab), it should autodiscover log sources that are from the 'audit' type. (generally what you're interested in from a SIEM perspective)

For request.log parsing, you'll probably need to create your custom parser.  I believe the following blog post is still relevant - https://www.ibm.com/blogs/sweeden/introduction-to-qradar-log-management-for-webseal-administrators/

Hope that helps.


------------------------------
HANS VANDEWEGHE

Original Message:
Sent: Wed January 22, 2020 08:23 AM
From: Magnus
Subject: ISAM log forwarding to IBM Qradar

Hello,

We are using the ISAM Remote syslog forwarding setting (https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/admin/task/tsk_rsyslog_forwarder.html) to send the WRP requestlog to IBM Qradar.

QRadar is getting our logs now as configured as a Linux OS log source but its not optimal but works for now.

Was wondering if there is someone here with experience how to set it up correctly at the QRadar side? The QRadar documentation does only have DSM Configuration for ISAM for mobile and ISAM for ESSO but those doesnot work with our current configuration.

Best regards
Magnus

------------------------------
Magnus
------------------------------

Right, I remember that was indeed tricky on ISVA running as container.  
I believe this is a limitation, as documented here - https://www.ibm.com/support/pages/can-not-send-requestlog-using-remote-syslog-forwarder-webseal-container

You can however instruct each WebSEAL instance individually (in the config file) to send it's events to a remote syslog server.  You can check the link for some examples of useful log entries.  (usually audit logs are relevant for a SIEM/QRadar, although maybe the http.clf one can be useful as well)

------------------------------
HANS VANDEWEGHE
------------------------------

Original Message:
Sent: Fri April 09, 2021 08:54 AM
From: Ntokozo Mkhonza
Subject: ISAM log forwarding to IBM Qradar

The log is grayed, yes.

We running ISVA on GCP Kubernetes and yes the default instance exist.

------------------------------
Ntokozo Mkhonza

Original Message:
Sent: Fri April 09, 2021 08:18 AM
From: HANS VANDEWEGHE
Subject: ISAM log forwarding to IBM Qradar

It requires a Log File, but seems this is greyed out for you.
Is this ISVA on Docker or as Appliance? Does the 'default' WebSEAL instances actually exist (on this appliance)?

------------------------------
HANS VANDEWEGHE

Original Message:
Sent: Fri April 09, 2021 08:06 AM
From: Ntokozo Mkhonza
Subject: ISAM log forwarding to IBM Qradar

Hi,

I mananged to setup log forwadring to QRadar but it is failing on the ISAM side when I try to add WebSEAL as the source (See image below). I have selected the instance but it LMI keeps showing that screen and not saving the settings. What could be causing this?


------------------------------
Ntokozo Mkhonza

Original Message:
Sent: Wed January 22, 2020 08:50 AM
From: HANS VANDEWEGHE
Subject: ISAM log forwarding to IBM Qradar

Hi Magnus,

I believe there is a DSM (rpm) called IBM Tivoli Access Manager for e-business.  Can you check if that one is installed?
If memory serves me right (and I'll try to check on a QRadar system in my lab), it should autodiscover log sources that are from the 'audit' type. (generally what you're interested in from a SIEM perspective)

For request.log parsing, you'll probably need to create your custom parser.  I believe the following blog post is still relevant - https://www.ibm.com/blogs/sweeden/introduction-to-qradar-log-management-for-webseal-administrators/

Hope that helps.


------------------------------
HANS VANDEWEGHE

Original Message:
Sent: Wed January 22, 2020 08:23 AM
From: Magnus
Subject: ISAM log forwarding to IBM Qradar

Hello,

We are using the ISAM Remote syslog forwarding setting (https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/admin/task/tsk_rsyslog_forwarder.html) to send the WRP requestlog to IBM Qradar.

QRadar is getting our logs now as configured as a Linux OS log source but its not optimal but works for now.

Was wondering if there is someone here with experience how to set it up correctly at the QRadar side? The QRadar documentation does only have DSM Configuration for ISAM for mobile and ISAM for ESSO but those doesnot work with our current configuration.

Best regards
Magnus

------------------------------
Magnus
------------------------------

According to the Documentation, QRadar has 3 DSMs that can be used:

• Security Access Manager for Mobile - Protocol: TLS syslog - Processes many events and formats
• Security Access Manager v8.1 and v8.2 - Protocol: Syslog - Processes Audit, System and authentication events
• Tivoli Access Manager IBM Web Security Gateway v7.x - Protocol: Syslog - Processes audit, access and HTTP events

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Fri April 09, 2021 08:18 AM
From: HANS VANDEWEGHE
Subject: ISAM log forwarding to IBM Qradar

It requires a Log File, but seems this is greyed out for you.
Is this ISVA on Docker or as Appliance? Does the 'default' WebSEAL instances actually exist (on this appliance)?

------------------------------
HANS VANDEWEGHE

Original Message:
Sent: Fri April 09, 2021 08:06 AM
From: Ntokozo Mkhonza
Subject: ISAM log forwarding to IBM Qradar

Hi,

I mananged to setup log forwadring to QRadar but it is failing on the ISAM side when I try to add WebSEAL as the source (See image below). I have selected the instance but it LMI keeps showing that screen and not saving the settings. What could be causing this?


------------------------------
Ntokozo Mkhonza

Original Message:
Sent: Wed January 22, 2020 08:50 AM
From: HANS VANDEWEGHE
Subject: ISAM log forwarding to IBM Qradar

Hi Magnus,

I believe there is a DSM (rpm) called IBM Tivoli Access Manager for e-business.  Can you check if that one is installed?
If memory serves me right (and I'll try to check on a QRadar system in my lab), it should autodiscover log sources that are from the 'audit' type. (generally what you're interested in from a SIEM perspective)

For request.log parsing, you'll probably need to create your custom parser.  I believe the following blog post is still relevant - https://www.ibm.com/blogs/sweeden/introduction-to-qradar-log-management-for-webseal-administrators/

Hope that helps.


------------------------------
HANS VANDEWEGHE

Original Message:
Sent: Wed January 22, 2020 08:23 AM
From: Magnus
Subject: ISAM log forwarding to IBM Qradar

Hello,

We are using the ISAM Remote syslog forwarding setting (https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/admin/task/tsk_rsyslog_forwarder.html) to send the WRP requestlog to IBM Qradar.

QRadar is getting our logs now as configured as a Linux OS log source but its not optimal but works for now.

Was wondering if there is someone here with experience how to set it up correctly at the QRadar side? The QRadar documentation does only have DSM Configuration for ISAM for mobile and ISAM for ESSO but those doesnot work with our current configuration.

Best regards
Magnus

------------------------------
Magnus
------------------------------