IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Ossec agent and QRadar - Linux System

    Posted Fri January 08, 2021 11:48 AM
    Hello Experts,

    I want to use ossec agent to forward logs from a linux system to QRadar. I saw on the dsm guide that i will configure the ossec agent on the linux system by pointing the ip address of my qradar within  the ossec.conf file.

    I have used ossec agent to forward logs on other SIEMs like Alienvault and Wazuh, however on these SIEM solutions you will have to extract the registration key and tie it to the ossec agent on the linux system using the below command.

    "/var/ossec/bin/manage_agents -a <agent_IP> -n <agent_name>" where the <agent_ip> is the ip of the linux system and the <agent_name> is the agent name assigned

    I checked QRadar and saw the log source type "ossec", but from the cli, i can't seem to locate the ossec directory.

    Does it mean i will just configure the ossec.conf on the linux system, and QRadar does the registration?

    I will really appreciate the response.

    Thank You experts.

    ------------------------------
    benjamin Nworah
    ------------------------------


  • 2.  RE: Ossec agent and QRadar - Linux System

    Posted Mon January 11, 2021 06:12 AM
    Hello QRadar experts,

    Can you assist with the above?

    I need to hear from you. 

    Thank You.

    ------------------------------
    benjamin Nworah
    ------------------------------

    Original Message


  • 3.  RE: Ossec agent and QRadar - Linux System

    Posted Tue January 12, 2021 01:07 AM
    Hello Benjamin,

    from https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_DSM_guide_OSSEC_intro.html#c_dsm_guide_ossec_intro

    ---

    The OSSEC DSM for IBM® QRadar® accepts events that are forwarded from OSSEC installations by using syslog.

    OSSEC is an open source Host-based Intrusion Detection System (HIDS) that can provide intrusion events to QRadar. If you have OSSEC agents that are installed, you must configure syslog on the OSSEC management server. If you have local or stand-alone installations of OSSEC, then you must configure syslog on each stand-alone OSSEC to forward syslog events to QRadar.
    ---

    So, yes, you have to configure on the OSSEC side the syslog target (= your QRadar IP) and the QRadar should be able to automatically discover that log source. If not (for any reasons) you can configure it manually (https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_OSSEC_add_logsource.html).

    Hope this help.
    Best regards,

    Mario



    ------------------------------
    Mario Sebastiani
    ------------------------------

    Original Message


  • 4.  RE: Ossec agent and QRadar - Linux System

    Posted Wed January 13, 2021 12:21 AM
    Hello Mario,

    Thank you for this piece of information.

    So QRadar will automatically discover the linux machines after configuring the ossec.conf file with the qradar ip address?

    Regards

    ------------------------------
    benjamin Nworah
    ------------------------------

    Original Message


  • 5.  RE: Ossec agent and QRadar - Linux System

    Posted Wed January 13, 2021 02:34 AM

    Hello Benjamin,

    yes, QRadar should be able to create the logsource for that linux server because the DSM for the OSSEC 2.6 and later is able to auto-discover, i.e. is able to recognize the source type after some events were collected and analyzed and create the right logsource. Sometimes it doesn't occur due to specific environment issue and you can manually create the log source. This is the default behavior unless auto-discovery function was disabled.

    https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/r_supported_dsm_list.html

    Hope this help.

    Best regards,
    Mario



    ------------------------------
    Mario Sebastiani
    ------------------------------

    Original Message


Related Content