IBM QRadar

Hello,

recently I installed DLC natively on CentOS 7 and connected it with QRadar. Upon inspection of raw events I noticed that the data is kind of scrambled. Anyone familiar with this?:

I noticed a two errors when starting / restarting the service. Not sure if this may have something to do with it since events do get forwarded so DLC seems to be working. The installation completed successfully without errors.

First error:

[root@ibmdlc template]# systemctl status dlc
● dlc.service - Disconnected log collector
   Loaded: loaded (/usr/lib/systemd/system/dlc.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2023-02-28 14:02:46 CET; 19h ago
  Process: 2532 ExecStartPre=/opt/ibm/si/services/dlc/current/systemd/bin/generate_environment.sh ${SERVICENAME} ${SERVICEPATH} (code=exited, status=0/SUCCESS)
 Main PID: 2571 (java)
    Tasks: 101
   Memory: 694.2M
   CGroup: /system.slice/dlc.service
           └─2571 /opt/ibm/java-x86_64-80/bin/java -Dapplication.name=dlc -Dapp_id=dlc -Djava.library.path= -Dapplication.baseURL=file:///opt/ibm/s...

Feb 28 14:02:46 ibmdlc systemd[1]: Stopped Disconnected log collector.
Feb 28 14:02:46 ibmdlc systemd[1]: Unit dlc.service entered failed state.
Feb 28 14:02:46 ibmdlc systemd[1]: dlc.service failed.
Feb 28 14:02:46 ibmdlc systemd[1]: Starting Disconnected log collector...
Feb 28 14:02:46 ibmdlc systemd[1]: Started Disconnected log collector.
Feb 28 14:02:46 ibmdlc DLC[2571]: stdSplitFreeListSplitAmount=   1     <-----this here 

Second error, from /var/log/dlc/dlc.error:

2023-02-28 14:00:19,137 [DLC Sec Event Forward Thread] com.ibm.si.frameworks.nio.network.UDPProcessor s4.dummy.sk:32500: [ERROR] [NOT:0000003000][172.17.0.1/- -] [-/- -][ERROR_EVENT_SEND:58003] Send error. Cannot Send Event to  s4.dummy.sk:32500.
java.io.IOException: Invalid argument
        at sun.nio.ch.DatagramDispatcher.write0(Native Method) ~[?:1.8.0]
        at sun.nio.ch.DatagramDispatcher.write(DatagramDispatcher.java:63) ~[?:1.8.0]
        at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:105) ~[?:1.8.0]
        at sun.nio.ch.IOUtil.write(IOUtil.java:63) ~[?:1.8.0]
        at sun.nio.ch.DatagramChannelImpl.write(DatagramChannelImpl.java:628) ~[?:1.8.0]
        at com.ibm.si.frameworks.nio.network.UDPProcessor.run(UDPProcessor.java:86) [q1labs_core_frameworks.jar:?]
        at java.lang.Thread.run(Thread.java:825) [?:2.9 (09-29-2022)]

As I mentioned. Events do get forwarded in spite of the errors.

Java version: ibm-java-x86_64-sdk-8.0-7.20.bin

DLC version: 1.7.3

/opt/ibm/si/services/dlc/conf/config.json file:

{
    "Destination": {
        "destination.type": "UDP",
        "destination.ip": "10.99.3.9",
        "destination.port": "32500"
    },
    "TLS": {
        "tls.keystorefilepath": "\/opt\/ibm\/si\/services\/dlc\/keystore\/dlc-client.pfx",
        "tls.keystorepassword": "<encrypted password>",
        "tls.keystoreexpirywindow": "14"
    },
    "EPS": 5000,
    "DLCMetricsEventsEnabled": "false",
    "TOPIC": ""
}

Also as a side question I would like to know if it is possible for events to get forwarded in LEEF format?

Any help would be greatly appreciated. Thank you.

------------------------------
Michal Pavliš
------------------------------

I responded to a user on Reddit in this thread about this issue: https://www.reddit.com/r/QRadar/comments/11fzqd0/disconnected_log_collector_scrambling_data/ 

Can you confirm that you are sending the events to a QRadar DLC log source? 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------

Original Message:
Sent: Wed March 01, 2023 04:04 AM
From: Michal Pavliš
Subject: Disconnected Log Collector forwarding weird symbols

Hello,

recently I installed DLC natively on CentOS 7 and connected it with QRadar. Upon inspection of raw events I noticed that the data is kind of scrambled. Anyone familiar with this?:

I noticed a two errors when starting / restarting the service. Not sure if this may have something to do with it since events do get forwarded so DLC seems to be working. The installation completed successfully without errors.

First error:

[root@ibmdlc template]# systemctl status dlc
● dlc.service - Disconnected log collector
   Loaded: loaded (/usr/lib/systemd/system/dlc.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2023-02-28 14:02:46 CET; 19h ago
  Process: 2532 ExecStartPre=/opt/ibm/si/services/dlc/current/systemd/bin/generate_environment.sh ${SERVICENAME} ${SERVICEPATH} (code=exited, status=0/SUCCESS)
 Main PID: 2571 (java)
    Tasks: 101
   Memory: 694.2M
   CGroup: /system.slice/dlc.service
           └─2571 /opt/ibm/java-x86_64-80/bin/java -Dapplication.name=dlc -Dapp_id=dlc -Djava.library.path= -Dapplication.baseURL=file:///opt/ibm/s...

Feb 28 14:02:46 ibmdlc systemd[1]: Stopped Disconnected log collector.
Feb 28 14:02:46 ibmdlc systemd[1]: Unit dlc.service entered failed state.
Feb 28 14:02:46 ibmdlc systemd[1]: dlc.service failed.
Feb 28 14:02:46 ibmdlc systemd[1]: Starting Disconnected log collector...
Feb 28 14:02:46 ibmdlc systemd[1]: Started Disconnected log collector.
Feb 28 14:02:46 ibmdlc DLC[2571]: stdSplitFreeListSplitAmount=   1     <-----this here 

Second error, from /var/log/dlc/dlc.error:

2023-02-28 14:00:19,137 [DLC Sec Event Forward Thread] com.ibm.si.frameworks.nio.network.UDPProcessor s4.dummy.sk:32500: [ERROR] [NOT:0000003000][172.17.0.1/- -] [-/- -][ERROR_EVENT_SEND:58003] Send error. Cannot Send Event to  s4.dummy.sk:32500.
java.io.IOException: Invalid argument
        at sun.nio.ch.DatagramDispatcher.write0(Native Method) ~[?:1.8.0]
        at sun.nio.ch.DatagramDispatcher.write(DatagramDispatcher.java:63) ~[?:1.8.0]
        at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:105) ~[?:1.8.0]
        at sun.nio.ch.IOUtil.write(IOUtil.java:63) ~[?:1.8.0]
        at sun.nio.ch.DatagramChannelImpl.write(DatagramChannelImpl.java:628) ~[?:1.8.0]
        at com.ibm.si.frameworks.nio.network.UDPProcessor.run(UDPProcessor.java:86) [q1labs_core_frameworks.jar:?]
        at java.lang.Thread.run(Thread.java:825) [?:2.9 (09-29-2022)]

As I mentioned. Events do get forwarded in spite of the errors.

Java version: ibm-java-x86_64-sdk-8.0-7.20.bin

DLC version: 1.7.3

/opt/ibm/si/services/dlc/conf/config.json file:

{
    "Destination": {
        "destination.type": "UDP",
        "destination.ip": "10.99.3.9",
        "destination.port": "32500"
    },
    "TLS": {
        "tls.keystorefilepath": "\/opt\/ibm\/si\/services\/dlc\/keystore\/dlc-client.pfx",
        "tls.keystorepassword": "<encrypted password>",
        "tls.keystoreexpirywindow": "14"
    },
    "EPS": 5000,
    "DLCMetricsEventsEnabled": "false",
    "TOPIC": ""
}

Also as a side question I would like to know if it is possible for events to get forwarded in LEEF format?

Any help would be greatly appreciated. Thank you.

------------------------------
Michal Pavliš
------------------------------