IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Log Source identifier

    Posted Mon February 24, 2020 09:01 AM
    Hello,
    first I want to apologize if this topic was already solved somewhere (could not find one).
    I have issue with setting log source in our deployment.
    I am receiving multiline syslog messages for log source type Cisco ISE through syslog server. When I set a new log source with the IP/hostname/FQDN as log source identifier (all were set into syslog header during testing) QRadar won't match the incoming logs with it and they are collected by generic log source as unknown logs.
    QRadar match the logs with the logsource only when I use the IP address of the syslog server as logsource identifier. By my knowledge the IP address is the least prioritise to be looked for as the log source identifier but no settings seems to force QRadar to read the information from syslog header.

    This issue is not limited with the Cisco ISE log source type.
    Syslog header is in right format of the supported versions.
    Problem with using IP address of the syslog server as the logsource identifier is that there is more than one server sending logs through the syslog server and the individual servers are recognized as only one.

    Thanks for help.

    ------------------------------
    Roman Mikita
    ------------------------------


  • 2.  RE: Log Source identifier

    Posted Tue February 25, 2020 01:56 PM
    Hi Roman,

    What you need to do here is show the advanced options in the log source config and enable the "Use as a Gateway Log Source" option. This will cause the events to be routed to log sources as if they were normal syslog messages (QRadar will parse the IP or hostname from the syslog header). If unchecked/disabled, we do not use the syslog header for event routing within the QRadar event pipeline.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    ------------------------------

    Original Message


  • 3.  RE: Log Source identifier

    Posted Wed February 26, 2020 02:02 AM
    Hello Colin (or anybody else)

    thanks for fast response. Unfortunately I have already had the option "Use as a Gateway Log Source" enabled.

    Tested it again: I have got 3 same log sources which differs only in log source identifier. Two for two hostnames of the original sources (the ones in syslog headers with exact match) and one with the IP address of the syslog server and all three have the option enabled and still the one with IP address of the syslog server is catching the logs. After I have disabled the log source (again with the IP address of the syslog server as identifier) logs were caught by generic DSM as unknown event.
    I have try also to recreate the log sources again but with no success.

    Can you help me to check the values like SyslogSourcePayload in DB after parsing to manually check the parsed hostname from syslog header or do you know other way to check the processed pipeline?

    Regards,
    Roman




    ------------------------------
    Roman Mikita
    ------------------------------

    Original Message


  • 4.  RE: Log Source identifier

    Posted Thu February 27, 2020 12:51 PM
    Hi Roman,

    Could you provide some sample events of from each of the 3 sources? Just the first part of the payloads so I can see the syslog header and verify that it will match the regex we use to extract the IP/hostname.

    In the upcoming 7.4.0 release you will be able to see what value QRadar determined the Log Source Identifier to be for a given event, but in the current version this value is not persisted to disk, it is just used transiently in memory to route the event to the appropriate log source.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    ------------------------------

    Original Message


  • 5.  RE: Log Source identifier

    Posted Fri February 28, 2020 02:49 AM
    Hi Colin,

    yeah of course. There are actually just two of them sending syslog to the QRadar, just I have created 3 log sources with different identifiers to catch them.
    Syslog header looks something like this:
    <xxx>Feb 28 08:38:04 CiseExample01.domain.xx CISE_
    <xxx>Feb 28 08:38:04 CiseExample02 CISE_

    This is how they look now. We tried to change syslog header on syslog server to original IP address:
    <xxx>Feb 28 08:38:04 xx.xx.xx.xx CISE_
    but it did not work and all logs were caught by log source with identifier of the syslog server or by generic log source (store events) when the log source with syslog server ip address as identifier was disabled.

    Thank you for helping with this.

    Roman


    ------------------------------
    Roman Mikita
    ------------------------------

    Original Message


  • 6.  RE: Log Source identifier

    Posted Tue March 03, 2020 07:49 PM
    Hi Roman,

    The syslog headers are indeed valid so we should be parsing them. What I would try here is changing the protocol type of the two log sources that use the hostnames from the syslog headers as Log Source Identifiers from UDP Multiline Syslog to regular syslog. You should be able to diract all the events to the listen port of a single "gateway" log source/protocol listener and it will handle collection and multiline recombination of the events and then will inject them into the QRadar event pipeline, at which point they should be routed based to the correct log source based on syslog header->Log Source Identifier match, regardless of protocol type, provided the log source with the multiline protocol is enabled as a gateway (it already is). I wonder if the problem was around having multiple multiline protocol listeners on the same port, that may have caused an issue. let me know if that works.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    ------------------------------

    Original Message


Related Content