IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Receiving Cloudflare logs

  • 1.  Receiving Cloudflare logs

    Posted Sat July 16, 2022 10:04 AM
    Hi! Needed help with integrate Cloudflare Logs with QRadar by using the HTTP Receiver protocol. All configurations from Cloudflare side was done. Testing successfull. Whe i try start the Logpush job when curl executed: {"errors":[{"code":1002,"message":"error validating destination: error writing object: Post \"https://name.domain.com:2443\": context deadline exceeded"}],"messages":[],"result":null,"success":false}. Its seems as error with certificate. Target Event Collector is event processor. But certificate Cloudflare recieve from my event processor, to which a connection is forwarded from an external IP and of course it is internal. All possible documentation has been read, but it's really not clear where to look for an answer.

    ------------------------------
    Serhii Barabash
    ------------------------------


  • 2.  RE: Receiving Cloudflare logs

    Posted Sun July 17, 2022 06:02 AM
    Hello @Serhii Barabash,

    If this is related to the certificate side, try to do this :

    openssl s_client -showcerts -host name.domain.com -port 2443

    You will get the right certificate to handle on your side :)

    Hope this helps,
    Regards,
    @zoldax


    ​​

    ------------------------------
    @zoldax

    https://www.youracclaim.com/users/pascal-weber.029e134d/badges
    ------------------------------

    Original Message


  • 3.  RE: Receiving Cloudflare logs

    Posted Sun July 17, 2022 09:16 AM
    Edited by Serhii Barabash Sun July 17, 2022 09:21 AM

    Not certainly in that way:
    Configured name.domain.name:2443 which route from real IP to internal IP address of Event Processsor. But when curl with parameters executed as writed in documentation (Configure Cloudflare to send events to IBM QRadar when you use the HTTP Receiver protocol - Documentación de IBM) i receive error, becouse EP have self signed certificate on port 2443:

    | SSL-CERT: Subject: commonName=*/organizationName=SyslogTLS_Server
    | Issuer: commonName=*/organizationName=SyslogTLS_Server
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha512WithRSAEncryption
    | Not valid before: 2019-12-07T19:46:51
    | Not valid after:  2029-12-04T19:46:51
    | MD5:   570b b7dc f4d9 2130 c543 6701 fa8c 212b
    |_SHA-1: c4e1 6e38 33c0 d89e eedd b067 b6f2 08b7 d5a3 25df

    and in documentation no way to assign signed with external CA certificate. In documentation no anything about check certificate by CloudFlare when curl for Logpush job executed. So, i must have signed with external CA certificate for name.domain.name or wildcard. But how i can configure this? Thats is a problem.



    ------------------------------
    Serhii Barabash
    ------------------------------

    Original Message


  • 4.  RE: Receiving Cloudflare logs

    Posted Sun July 17, 2022 03:57 PM
    Hello @Serhii Barabash,

    Ok, your openssl query indicate that port 2443 use the SyslogTLS_server certs from your QRadar default truststore keys.
    So its seems to be linked to that.​

    It's like when you use a Linux client sending TLS Syslog to QRadar on TLS Port. You have to configure on the linux side the CA file and the certfile (for example DefaultNetStreamDriverCAFile /etc/rsyslog-keys/linuxtlsca.pem and DefaultNetstreamDriverCertFile /etc/rsyslog-keys/serveurqradar-cert.pem on a Linux Redht distribution) to communicate correctly to your Qradar on TLS port 6514.

    So on your case :
    1. When sending a request to an HTTPS URL, Curl verifies the SSL certificate of the target URL against the local CA certificate store. For expired and self-signed certificates, Curl returns Certificate Verify Failed error message.
    To bypass certificate checking, pass -k or --insecure command-line switch to Curl. 
    2. If you want to use the certificate and CA

    for cert :
    curl -E certfile.crt .....
    curl --certfile.crt ...

    for Ca :
    curl --cacert mycompany.cert


    So i guess, when you will to send Cloudflare HTTP events to QRadar and start the Logpush job that you created you have to type the command with these flags (for example for insecure) :
    curl -k -s https://api.cloudflare.com/client/v4/zones/<zone_id>/logpush/jobs -X POST -d '{ "name": "<name>", "logpull_options": "fields=ClientRequestMethod,EdgeResponseStatus,ClientIP,ClientSrcPort,EdgeStartTimestamp&timestamps=rfc3339", "destination_conf": "<QRadar_URL:LogSource_Port>", "max_upload_bytes": 5000000, "max_upload_records": 1000, "dataset": "http_requests", "enabled": true}' -H "X-Auth-Email: <X-Auth-Email>" -H "X-Auth-Key: <X-Auth-Key>"

    Hope this helps,
    Regards,
    @zoldax



    ------------------------------
    @zoldax

    https://www.youracclaim.com/users/pascal-weber.029e134d/badges
    ------------------------------

    Original Message


  • 5.  RE: Receiving Cloudflare logs

    Posted Mon July 18, 2022 05:24 AM

    No, its not a openssl query indicate that port 2443 use the SyslogTLS_server certs from your QRadar default truststore keys

    its indicates process of creating logpush job from Cloudflare side. When logpush job creating its at creation time cant validate cert from parameter "destination_conf": "<QRadar_URL:LogSource_Port>". And i realy dont understand how i can use cert for this situation from QRadar side for this log source. 



    ------------------------------
    Serhii Barabash
    ------------------------------

    Original Message


  • 6.  RE: Receiving Cloudflare logs

    Posted Sun July 17, 2022 09:51 AM
    Not certainly in that way:

    ------------------------------
    Serhii Barabash
    ------------------------------

    Original Message


  • 7.  RE: Receiving Cloudflare logs

    Posted Tue July 19, 2022 10:12 AM
    Edited by Frank Eargle Tue July 19, 2022 10:13 AM
    I just worked a long case with support on this.  I included the link to this discussion in that ticket.  Below is information from support, some of which is above, but not all...

    The purpose of the case was to get HTTP Receiver Log Source to use a signed cert.
    Currently the HTTP Receiver in the UI setup doesn't allow you to change the cert it uses.
    Currently the HTTP Receiver uses the "Generated cert" , this cert is created when the Console or Managed Host is built.
    The cert is located under /opt/qradar/conf/trusted_certificates/
    The two cert / key files are syslog-tls.cert and syslog-tls.key

    To use a signed cert this means replacing the current syslog-tls.cert and syslog-tls.key this also this needs to get loaded into the keystore

    /opt/qradar/conf/syslog-tls.keystore
    this can be done using the script
    /opt/qradar/bin/syslog-tls-import.sh

    Two things needs to be considered prior to making these changes to the syslog-tls.cert
    1) are there any tls-syslog log sources using the "Generated cert"
    2) are there any Managed WinCollect agents setup to use the Console or Managed Host as a Managed Console

    If you have Managed WinCollect agents using the Console as a Managed Console the certificate they used will need to replaced on them and will NOT be done automatically.
    So this would need to be considered when changing the cert to a signed cert.

    ------------------------------
    Frank Eargle
    ------------------------------

    Original Message


  • 8.  RE: Receiving Cloudflare logs

    Posted Tue July 19, 2022 06:04 PM
    Hello @Serhii Barabash, @Frank Eargle, 

    As indicated by @Frank Eargle  it would be great to change on the HTTP Receiver UI setup the certificate  it uses.

    The problem seems to be related to the TLS self signed certificate.

    Looking at CloudFare documentation, if you want to enable logpush to Splunk for example, they use a value for an Insecure_skip_verify to true when using a self-signed certificate (tlike your case).

    <INSECURE_SKIP_VERIFY>: Boolean value. Cloudflare recommends setting this value to false. Setting this value to true is equivalent to using the -k option with curl as shown in examples and is not recommended. Only set this value to true when HEC uses a self-signed certificate (Enable Logpush to Splunk · Cloudflare Logs docs)

    Looking at the CloudFare doc for Enable HTTP destination · Cloudflare Logs docs, i don't see this kind of parameter.

    So if i were you i will ask to both support QRadar and Cloudfare if you can use this kind of parameters when you start the Logpush job that you created by typing the command with curl to send Cloudflare HTTP events to QRadar.

    Hope this helps,
    Regards,
    @zoldax







    ​​

    ------------------------------
    @zoldax

    https://www.youracclaim.com/users/pascal-weber.029e134d/badges
    ------------------------------

    Original Message


  • 9.  RE: Receiving Cloudflare logs

    Posted Fri July 22, 2022 01:07 AM
    Thank you very much, guys! As temporary solution I will try use <INSECURE_SKIP_VERIFY>. But what about may be changes in http receiver for opportunity using tls cert for needed port from collector side? It's possible?

    ------------------------------
    Serhii Barabash
    ------------------------------

    Original Message


  • 10.  RE: Receiving Cloudflare logs

    Posted Thu July 28, 2022 02:37 PM
    Hello @Serhii Barabash,

    Glad to have helped.

    I don't understand what you mean on the question ? For me if you listen to the collector with TLS, you have to match the certificates has indicated in my first point.

    Regards,
    zoldax


    ------------------------------
    @zoldax

    https://www.youracclaim.com/users/pascal-weber.029e134d/badges
    ------------------------------

    Original Message