List of Contributions

Mario Sebastiani

Contact Details

My Content

1 to 14 of 14 total
Posted By Mario Sebastiani Thu July 08, 2021 02:29 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hello Akash, you can deploy both component (DLC or EC) in a virtual infrastructure based on VMware. The main differences is that the EC is a QRadar appliance and it is a managed host by the Console and you need a license for it, while the DLC is a software component that is installed in a Linux VM ...
Posted By Mario Sebastiani Wed June 02, 2021 01:10 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hello Konstantin, you can use the free network interfaces to collect data as explained at Network interface management chapter in the documentation. Please note that "TCP-based data sources must be in the same subnet as the data collection interface" , no additional routing is allowed. Best ...
Posted By Mario Sebastiani Thu April 08, 2021 02:18 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hello Davin, I tried and I was successful. Of course it depends on the environment, on the file content, its format and so on. What are you trying to accomplish ? Best regards, Mario ------------------------------ Mario Sebastiani ------------------------------
Posted By Mario Sebastiani Tue February 23, 2021 04:29 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hello Benjamin, I understand your wish to know as much as possible about the QRadar. Most of the topics are covered by our official documentation https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.4/com.ibm.qradar.doc/qradar_IC_welcome.html integrated by technote https://www.ib ...
Posted By Mario Sebastiani Tue February 23, 2021 12:55 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hello Benjamin and all. Thanks @COLIN HAY for integrating and explaining the point. Sometimes my poor English leads me to be too succinct and less precise than necessary. @benlinux again, you don't need to install any RPMs on the EP or on any other managed host unless you are explicit requested ...
Posted By Mario Sebastiani Fri February 19, 2021 01:19 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hello Benjamin, you DON'T need to install the DSM RPM on other managed host but the Console. Your investigation should point out: are the logs arriving at the EP ? (tcpdump is a good tool to investigate it) are they parsed? (you should see events not parsed in the SIM Generic Log logsource ...
Posted By Mario Sebastiani Wed January 13, 2021 02:34 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hello Benjamin, yes, QRadar should be able to create the logsource for that linux server because the DSM for the OSSEC 2.6 and later is able to auto-discover, i.e. is able to recognize the source type after some events were collected and analyzed and create the right logsource. Sometimes it doesn't ...
Posted By Mario Sebastiani Tue January 12, 2021 01:07 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hello Benjamin, from https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_DSM_guide_OSSEC_intro.html#c_dsm_guide_ossec_intro --- The OSSEC DSM for IBM® QRadar® accepts events that are forwarded from OSSEC installations by using syslog. OSSEC is an open source Host-based ...
Posted By Mario Sebastiani Tue December 22, 2020 02:00 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hello Benjamin, I guess you are talking about virtual machines. Otherwise, if you are talking about physical QRadar appliances, you shouldn't worry about this topic since you must have two identical appliances to create HA cluster. If you are talking about VM, you should consider that the needed ...
Posted By Mario Sebastiani Mon December 14, 2020 01:17 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hello Benjamin, as well as the minimum requirements you should consider this from the architectural perspective. What is your need? What is the goal you are trying to reach? What is the QRadar component you want to protect with HA? For example, if you are thinking at the Console, then all the ...
Posted By Mario Sebastiani Mon August 31, 2020 01:03 AM
Found In Egroup: IBM Security QRadar
\ view thread
Please take a look at https://www.ibm.com/support/pages/qradar-auto-update-proxy-issues-500-ssl-negotiation-failed-updated It should be useful. best regards, ------------------------------ Mario Sebastiani ------------------------------
Posted By Mario Sebastiani Mon August 03, 2020 12:45 AM
Found In Egroup: IBM Security QRadar
\ view thread
Did you already tried to restart hostcontext on the Console? ------------------------------ Mario Sebastiani ------------------------------
Posted By Mario Sebastiani Mon May 18, 2020 12:18 PM
Found In Egroup: IBM Security QRadar
\ view thread
Hello Liam, is SIEM01 the hostname of your QRadar Server? In case, it means that something from your QRadar server is trying to connect to that host with wrong credentials. In standard configuration, the only component that can try this operation is the logsource: so I'd suggest to verify the logsource ...
Posted By Mario Sebastiani Mon May 18, 2020 09:46 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hello Liam, did you double-check all your Windows logsources? From what I can imagine, you could have one (or more) Windows MSRP logsource with invalid credential and, when it tries to connect to the Windows server, it locks the user. Regards, Mario ------------------------------ Mario Sebastiani ...