QRadar Log Sources User Guide
Post on 02-Jan-2017
Embed Size (px)
IBM Security QRadarVersion 7.2.6
Log Sources User Guide
NoteBefore using this information and the product that it supports, read the information in Notices on page 57.
This document applies to IBM QRadar Security Intelligence Platform V7.2.5 and subsequent releases unlesssuperseded by an updated version of this document.
Copyright IBM Corporation 2007, 2015.US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.
About this guide . . . . . . . . . .. v
Chapter 1. Introduction to log sourcemanagement. . . . . . . . . . . .. 1Adding a log source . . . . . . . . . . .. 1
JDBC protocol configuration options . . . .. 2JDBC SiteProtector configuration options . . .. 4Sophos Enterprise Console JDBC protocolconfiguration options . . . . . . . . .. 6Juniper Networks NSM protocol configurationoptions . . . . . . . . . . . . . .. 7OPSEC/LEA protocol configuration options . .. 8SDEE protocol configuration options . . . .. 8SNMPv2 protocol configuration options . . .. 9SNMPv3 protocol configuration options . . .. 9Sourcefire Defense Center Estreamer protocolconfiguration options . . . . . . . . .. 9Log file protocol configuration options . . .. 10MQ protocol configuration options . . . .. 11Microsoft Security Event Log protocolconfiguration options . . . . . . . . .. 12Microsoft DHCP protocol configuration options 13Microsoft Exchange protocol configurationoptions . . . . . . . . . . . . . .. 14Microsoft IIS protocol configuration options .. 15SMB Tail protocol configuration options . . .. 15EMC VMware protocol configuration options .. 16Oracle Database Listener protocol configurationoptions . . . . . . . . . . . . . .. 16Cisco NSEL protocol configuration options . .. 16PCAP Syslog Combination protocol configurationoptions . . . . . . . . . . . . . .. 17Forwarded protocol configuration options . .. 17TLS syslog protocol configuration options . .. 17Juniper Security Binary Log Collector protocolconfiguration options . . . . . . . . .. 19UDP multiline syslog protocol configurationoptions . . . . . . . . . . . . . .. 19TCP multiline syslog protocol configurationoptions . . . . . . . . . . . . . .. 20
VMware vCloud Director protocol configurationoptions . . . . . . . . . . . . . .. 20IBM Tivoli Endpoint Manager SOAP protocolconfiguration options . . . . . . . . .. 21Syslog Redirect protocol overview . . . . .. 21
Adding bulk log sources . . . . . . . . .. 22Adding a log source parsing order . . . . .. 22
Chapter 2. Log source extensions . .. 25Examples of log source extensions on QRadar forum 25Patterns in log source extension documents. . .. 26Match groups. . . . . . . . . . . . .. 26
Matcher (matcher) . . . . . . . . . .. 27Multi-event modifier (event-match-multiple) .. 31Single-event modifier (event-match-single) .. 31
Extension document template . . . . . . .. 32Creating a log source extensions document . . .. 35
Building a Universal DSM . . . . . . .. 36Exporting the logs . . . . . . . . . .. 37Common regular expressions . . . . . .. 38Building regular expression patterns . . . .. 39Uploading extension documents to QRadar. .. 41Mapping unknown events . . . . . . .. 41
Parsing issues and examples. . . . . . . .. 43Parsing a CSV log format. . . . . . . .. 45
Log Source Type IDs . . . . . . . . . .. 46
Chapter 3. Log source extensionmanagement . . . . . . . . . . .. 55Adding a log source extension . . . . . . .. 55
Index . . . . . . . . . . . . . .. 61
Copyright IBM Corp. 2007, 2015 iii
iv QRadar Log Sources User Guide
About this guide
Log sources are third-party devices that send events to IBM Security QRadar forcollection, storage, parsing, and processing.
Administrators must have QRadar access and knowledge of the corporate networkand networking technologies.
To find IBM Security QRadar product documentation on the web, including alltranslated documentation, access the IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SS42VS/welcome).
For information about how to access more technical documentation in the QRadarproducts library, see Accessing IBM Security Documentation Technical Note(www.ibm.com/support/docview.wss?rs=0&uid=swg21614644).
Contacting customer support
For information about contacting customer support, see the Support andDownload Technical Note (http://www.ibm.com/support/docview.wss?uid=swg21616144).
Statement of good security practices
IT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a lawful comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
Use of this Program may implicate various laws or regulations. including thoserelated to privacy, data protection, employment, and electronic communicationsand storage. IBM Security QRadar may be used only for lawful purposes and in alawful manner. Customer agrees to use this Program pursuant to, and assumes allresponsibility for complying with, applicable laws, regulations and policies.Licensee represents that it will obtain or has obtained any consents, permissions, orlicenses required to enable its lawful use of IBM Security QRadar.
Copyright IBM Corp. 2007, 2015 v
vi QRadar Log Sources User Guide
Chapter 1. Introduction to log source management
You can configure IBM Security QRadar to accept event logs from log sources thatare on your network. A log source is a data source that creates an event log.
For example, a firewall or intrusion protection system (IPS) logs security-basedevents, and switches or routers logs network-based events.
To receive raw events from log sources, QRadar supports many protocols. Passiveprotocols listen for events on specific ports. Active protocols use APIs or othercommunication methods to connect to external systems that poll and retrieveevents.
Depending on your license limits, QRadar can read and interpret events from morethan 300 log sources.
To configure a log source for QRadar, you must do the following tasks:1. Download and install a device support module (DSM) that supports the log
source. A DSM is software application that contains the event patterns that arerequired to identify and parse events from the original format of the event logto the format that QRadar can use. For more information about DSMs and thesupported log sources, see the DSM Configuration Guide.
2. If automatic discovery is supported for the DSM, wait for QRadar toautomatically add the log source to your list of configured log sources.
3. If automatic discover is not supported for the DSM, manually create the logsource configuration.
Adding a log sourceIf a log source is not automatically discovered, you can manually add a log sourceto receive events from your network devices or appliances.
About this task
The following table describes the common log source parameters for all log sourcetypes:
Table 1. Log source parameters
Log Source Identifier The IPv4 address or host name thatidentifies the log source.
If your network contains multiple devicesthat are attached to a single managementconsole, specify the IP address of theindividual device that created the event. Aunique identifier for each, such as an IPaddress, prevents event searches fromidentifying the management console as thesource for all of the events.
Copyright IBM Corp. 2007, 2015 1
Table 1. Log source parameters (continued)
Enabled When this option is not enabled, the logsource does not collect events and the logsource is not counted in the license limit.
Credibility Credibility is a representation of theintegrity or validity of events that arecreated by a log source. The credibility valuethat is assigned to a log source can increaseor decrease based on incoming events oradjusted as a response to user-created eventrules. The credibility of events from logsources contributes to the calculation of theoffense magnitude and can increase ordecrease the magnitude value of an offense.
Target Event Collector Specifies the QRadar Event Collector thatpolls the remote log source.
Use this parameter in a distributeddeployment to improve Console systemperformance by moving the polling task toan Event Collector.
Coalescing Events Increases the event count when the sameevent occurs multiple times within a shorttime interval. Coalesced events provide away to view and determine the frequencywith which