IBM Security QRadar

 View Only

  • 1.  Cisco Identity Service Engine Log Source Integration

    Posted Fri April 05, 2024 03:11 AM

    Hi,

    I have configured the custom DSM for the Cisco Identity Service Engine and added the log source using port 517.  

    When I use the 517 port as suggested in the QRadar link below the logs are not receiving, but when use 514 port in CISCO ISE the logs are receiving as unknown.

    https://www.ibm.com/docs/hu/qradar-on-cloud?topic=cisco-identity-services-engine

    UDP multiline syslog protocol configuration options

    Please anyone help to resolve the issue.

    QRadar Version: 7.5.0 UP6

    I am not sure why QRadar decommissioned many DSMs which has earlier versions.  I think the older version QRadar is better than the latest.

    Thanks



    ------------------------------
    Arunkumar R
    ------------------------------


  • 2.  RE: Cisco Identity Service Engine Log Source Integration

    Posted Mon April 08, 2024 02:38 AM

    Hi!
    Did you configure iptables firewall for port 517?

    vi /opt/qradar/conf/iptables.pre

    #multiline Syslog
    -A INPUT -p udp --dport 517 -j ACCEPT

    Best Regards
    Roman



    ------------------------------
    Roman Russland
    ------------------------------

    Original Message


  • 3.  RE: Cisco Identity Service Engine Log Source Integration

    Posted Mon April 08, 2024 03:08 AM

    Hello Arunkumar,

    Please follow this Technote for troubleshooting> https://www.ibm.com/support/pages/node/6326057

    From experience, there might be another log source on the same event collecting host which is using the same port (517). This causes a port conflict and Traffic Analysis can get confused.

    If you already have another log source type using port 517, just change the log source config to use a free port on the same eventcollector, e.g. 518/519/520 etc.

    When you manually create the Cisco ISE log source, it should automatically create an Iptables rule to accept traffic.

    The pre-routing rule method is only needed if it's not easy to target the Cisco ISE device to send to port 517, what the rule does is it listens for traffic from a certain source IP on port 514 and forwards it to port 517. Ref doc: https://www.ibm.com/docs/en/dsm?topic=sol-configuring-iptables-udp-multiline-syslog-events

    Hope this is helpful, good luck!

    -C-



    ------------------------------
    Carl Mohn
    IBM
    Dublin
    ------------------------------

    Original Message


  • 4.  RE: Cisco Identity Service Engine Log Source Integration

    Posted Wed April 10, 2024 03:01 AM

    Hi Carl,

    Thank you..!

    It works, I have changed the port number.

    @Roman - Thanks for sharing the information, it will be helpful in some other cases.



    ------------------------------
    Arunkumar R
    ------------------------------

    Original Message