IBM Security QRadar

Hello,

We have a requirement of dumping logs to a mid-server from an application (as we don't want to expose QRadar to internet) which will be setup in dmz, from that mid-server we have to forward logs to QRadar. So, my queries are:

1 - if i setup a Linux mid-server, how can i forward logs from a particular file to QRadar.

2 - if i setup a windows mid-server and install wincollect agent, is it possible to forward logs from a particular file to QRadar? If yes how can i do that?

1 - if a Linux mid-server is used you can: A) pull the logs from the file using the Log File protocol (e.g. through SFTP etc.) or B) configure rsyslog to read from the file and send via syslog to your QRadar.

2 - if a Windows mid-server is used you can: A) pull the logs from the file using SMBtail protocol or B) use WinCollect File Forwarder to poll the data from the Windows host (and forward to your QRadar). Assuming you are using WinCollect 10 (stand-alone) you should be able to find the necessary info in the WinCollect 10 guide.

Hello,

We have a requirement of dumping logs to a mid-server from an application (as we don't want to expose QRadar to internet) which will be setup in dmz, from that mid-server we have to forward logs to QRadar. So, my queries are:

1 - if i setup a Linux mid-server, how can i forward logs from a particular file to QRadar.

2 - if i setup a windows mid-server and install wincollect agent, is it possible to forward logs from a particular file to QRadar? If yes how can i do that?

Hi! 

I'm trying to get application logs from a Windows server using smbtail. I was able to set up smbtail so far that I can ingest data from log files. But the content is close to useless. I'm getting empty lines - in the log files there's an empty line between events. But that's not that worse, I'd just take and drop those. But int the other events the payload is messed up. In between every symbol/character there's a whitespace added. What's up with that? I couldn't find anything helpful so far.
I.e.: 

 0 4 - 0 3 - 2 0 2 3   0 8 : 3 3 : 2 5   G e t t i n g   t h e   L D A P   n a m e   o f   c a n o n i c a l   n a m e :  'd o m a i n . d e /  a n d  s o  o n

Do you have any advice for me?
Thanks very much!
BR
Roman

1 - if a Linux mid-server is used you can: A) pull the logs from the file using the Log File protocol (e.g. through SFTP etc.) or B) configure rsyslog to read from the file and send via syslog to your QRadar.

2 - if a Windows mid-server is used you can: A) pull the logs from the file using SMBtail protocol or B) use WinCollect File Forwarder to poll the data from the Windows host (and forward to your QRadar). Assuming you are using WinCollect 10 (stand-alone) you should be able to find the necessary info in the WinCollect 10 guide.

Hello,

We have a requirement of dumping logs to a mid-server from an application (as we don't want to expose QRadar to internet) which will be setup in dmz, from that mid-server we have to forward logs to QRadar. So, my queries are:

1 - if i setup a Linux mid-server, how can i forward logs from a particular file to QRadar.

2 - if i setup a windows mid-server and install wincollect agent, is it possible to forward logs from a particular file to QRadar? If yes how can i do that?

Sounds like the file encoding on the output is UTF16 and you need to convert it to UTF8 or ASCII. I saw a discussion a while back on a similar issue here, but you'll need to confirm what is going on with the log: https://social.technet.microsoft.com/Forums/en-US/61fecf57-376c-433d-ae3f-5857dcaeefb9/weird-powershell-behavior-with-logging-using-gtgt-spaces-between-characters-in-logs?forum=winserverpowershell 

Hi! 

I'm trying to get application logs from a Windows server using smbtail. I was able to set up smbtail so far that I can ingest data from log files. But the content is close to useless. I'm getting empty lines - in the log files there's an empty line between events. But that's not that worse, I'd just take and drop those. But int the other events the payload is messed up. In between every symbol/character there's a whitespace added. What's up with that? I couldn't find anything helpful so far.
I.e.: 

 0 4 - 0 3 - 2 0 2 3   0 8 : 3 3 : 2 5   G e t t i n g   t h e   L D A P   n a m e   o f   c a n o n i c a l   n a m e :  'd o m a i n . d e /  a n d  s o  o n

Do you have any advice for me?
Thanks very much!
BR
Roman

1 - if a Linux mid-server is used you can: A) pull the logs from the file using the Log File protocol (e.g. through SFTP etc.) or B) configure rsyslog to read from the file and send via syslog to your QRadar.

2 - if a Windows mid-server is used you can: A) pull the logs from the file using SMBtail protocol or B) use WinCollect File Forwarder to poll the data from the Windows host (and forward to your QRadar). Assuming you are using WinCollect 10 (stand-alone) you should be able to find the necessary info in the WinCollect 10 guide.

Hello,

We have a requirement of dumping logs to a mid-server from an application (as we don't want to expose QRadar to internet) which will be setup in dmz, from that mid-server we have to forward logs to QRadar. So, my queries are:

1 - if i setup a Linux mid-server, how can i forward logs from a particular file to QRadar.

2 - if i setup a windows mid-server and install wincollect agent, is it possible to forward logs from a particular file to QRadar? If yes how can i do that?

Hi!
Thanks for the reply!!
So probably it doesn't help to simply set the log source to to UTF-16?
Well, I tried and it didn't help.
Then I downloaded the file, opened it in Notepad++, removed the mentioned empty lines and had it's encoding changed to UTF-8. Set the log source to UTF-8, as well. This test worked fine and shows that the working principle of smbtail is ok.

This bring's me back to the question - how do I have to handle the original application log files.There's no way for me to change its logging settings.

Thank you!
BR
Roman

Sounds like the file encoding on the output is UTF16 and you need to convert it to UTF8 or ASCII. I saw a discussion a while back on a similar issue here, but you'll need to confirm what is going on with the log: https://social.technet.microsoft.com/Forums/en-US/61fecf57-376c-433d-ae3f-5857dcaeefb9/weird-powershell-behavior-with-logging-using-gtgt-spaces-between-characters-in-logs?forum=winserverpowershell 

Hi! 

I'm trying to get application logs from a Windows server using smbtail. I was able to set up smbtail so far that I can ingest data from log files. But the content is close to useless. I'm getting empty lines - in the log files there's an empty line between events. But that's not that worse, I'd just take and drop those. But int the other events the payload is messed up. In between every symbol/character there's a whitespace added. What's up with that? I couldn't find anything helpful so far.
I.e.: 

 0 4 - 0 3 - 2 0 2 3   0 8 : 3 3 : 2 5   G e t t i n g   t h e   L D A P   n a m e   o f   c a n o n i c a l   n a m e :  'd o m a i n . d e /  a n d  s o  o n

Do you have any advice for me?
Thanks very much!
BR
Roman

1 - if a Linux mid-server is used you can: A) pull the logs from the file using the Log File protocol (e.g. through SFTP etc.) or B) configure rsyslog to read from the file and send via syslog to your QRadar.

2 - if a Windows mid-server is used you can: A) pull the logs from the file using SMBtail protocol or B) use WinCollect File Forwarder to poll the data from the Windows host (and forward to your QRadar). Assuming you are using WinCollect 10 (stand-alone) you should be able to find the necessary info in the WinCollect 10 guide.

Hello,

We have a requirement of dumping logs to a mid-server from an application (as we don't want to expose QRadar to internet) which will be setup in dmz, from that mid-server we have to forward logs to QRadar. So, my queries are:

1 - if i setup a Linux mid-server, how can i forward logs from a particular file to QRadar.

2 - if i setup a windows mid-server and install wincollect agent, is it possible to forward logs from a particular file to QRadar? If yes how can i do that?