Categories
General Uncategorized

Generating and receiving events with QRadar

QRadar is capable of receiving and parsing events from a variety of third-party security products. The full list of supported devices is available in the documentation and the several formats and devices increases often.

Receiving events with QRadar

QRadar can pick up events in “auto-detected” mode from supported appliance, what let you see events immediately on interface. After opening the Log Activity tab, there are events collected and nicely parsed for displaying the most common fields. This includes fields like source and destination IP and port, username and event category along with event name. There will be also a time and Log Source type used to parse this event. Using Custom Properties, you can extract more, important for yourself information, from the field which is repeating in logs.

For, the most common type, syslog events, QRadar receives events on port 514. Tcpdump command can confirm the events reach QRadar network interface. For example, use this:

tcpdump -s 0 -A host Device_IPAddress and port 514

Replace IP address in the above command, if other syslog devices are available and configured to send events to QRadar. Their events should also be visible in QRadar Log Activity.

QRadar always listens on port 514 for incoming tcp/ip syslog messages. Therefore QRadar host processes any events sent via syslog. For udp use port 517 instead. If you don’t see events on the user interface, but tcpdump confirms that you receive them, check Log Source type. To find wrongly assigned Log Source pick some specific string, which observed on tcpdump. Do a search in QRadar using filter “Payload contains” against that string. QRadar always make a best effort attempt to identify the product, from which events sent. If successful, QRadar will automatically configure the correct device type for the events. Nevertheless in some extreme cases, wrongly recognized events can lead to Performance degradation, but it can never happen there are events, which disappear in QRadar. Events received on network interface, you can find as described above.

Generating events with QRadar

Generating events with QRadar is easy. QRadar has a script, which let you replay any event stored in file in syslog format. For this purpose you can use logrun.pl script in /opt/qradar/bin folder. The script has few easy to understand options, which let you to send events to other device. You can change destination if you have distributed deployment or spoof source IP address if necessary. The great feature of this script is ability to loop content of the file as well as set number of events rate send in a second.

A script which sends events to QRadar