Get events through Logstash to Qradar

Hi,

we're planning on using Logstash as a central shippier to send logs to a SIEM (qradar in this case) & Logstash.
Qradar however doesn't want to automatically parse these events as it doesn't recognize the source (it sees the logstash as the source instead of the original source).

Some possibility's to check is to use the CEF or LEEF plugin.
However, our server doesn't have internet connection nore a local ruby environment to build the gem. This seems to be required.
Can someone build the gem for the LEEF & CEF plugins?
LEEF:https://github.com/avwsolutions/logstash-codec-leef
CEF: https://www.elastic.co/guide/en/logstash/current/plugins-codecs-cef.html

If any other solutions to fix this, feel free to share!

Thanks,
Christiaan

Hi @christiaan.spriet,

looks like the CEF one is available for download on https://rubygems.org/gems/logstash-codec-cef/versions/2.1.3
The LEEF one I have to check.

/Jakob

Hi @christiaan.spriet

I built the LEEF codec v1.0.1 from the https://github.com/avwsolutions/logstash-codec-leef repo. You can download it here https://s3.amazonaws.com/users.elasticsearch.org/colinsurprenant/logstash-codec-leef-1.0.1.gem

Please note that this is a community contributed codec that is not maintained nor tested by Elastic. As such we cannot provide support for that plugin.

Colin

Hi,

Thanks Jakob & Colin.
I managed to install both the plugings.

Kind Regards,
Christiaan

Does the LEEF Codec fix the issue with auto parsing in Qradar?

Hi Antonio,

currently it's still not working for us.
I managed to send the messages towards Qradar, but the auto-parsing doesn't work.
I'm asking IBM the reason for this.

KR,
Christiaan

We took the approach of stripping the logstash headers and pass the raw message to Qradar. This seemed to enable the auto-parsing. For example we were able to get SEPM logs to pass and auto parse.

We are trying to play with the headers and a syslog output instead of a udp output to Qradar.

Hope this helps.

Hi Antonio,

that's the idea we wanted to try aswell.
Do you have any example configuration you could share that is working for you?

Thanks a lot!
Christiaan

Christiaan,

You want to try something like this. Where you want to just catch and pass the message forward. The ASA though gets a little funky so you have to do a grok match and then a syslog output.

filter {
if "syslog" in [tags] {
grok {
match => {"message" => "(?.*)"}
}
}
if "%ASA-" in [message] {
grok {
match => { "message" => "%{SYSLOG5424PRI}%{CISCOTIMESTAMP} %{IP:host} : %ASA-%{GREEDYDATA}" }
add_tag => "ASA"
}
}
}

output {
if "ASA" in [tags]
{
syslog
{
host => "[destination]"
port => "514"
}
}
else
{
udp
{
host => "[destination]"
port => "514"
codec => line { format => "%{syslog}" }
}
}
}

Hope this helps.

appreciate the help.
unfortunately it's still not working for us.

Could you share an example log & your complete configuration perhaps in a private mail?

Thx