Get events through Logstash to Qradar

christiaan.spriet · October 7, 2016, 3:04pm

Hi,

we're planning on using Logstash as a central shippier to send logs to a SIEM (qradar in this case) & Logstash.
Qradar however doesn't want to automatically parse these events as it doesn't recognize the source (it sees the logstash as the source instead of the original source).

Some possibility's to check is to use the CEF or LEEF plugin.
However, our server doesn't have internet connection nore a local ruby environment to build the gem. This seems to be required.
Can someone build the gem for the LEEF & CEF plugins?
LEEF:https://github.com/avwsolutions/logstash-codec-leef
CEF: https://www.elastic.co/guide/en/logstash/current/plugins-codecs-cef.html

If any other solutions to fix this, feel free to share!

Thanks,
Christiaan

jakommo · October 7, 2016, 3:26pm

Hi @christiaan.spriet,

looks like the CEF one is available for download on https://rubygems.org/gems/logstash-codec-cef/versions/2.1.3
The LEEF one I have to check.

/Jakob

colinsurprenant · October 12, 2016, 9:11am

Hi @christiaan.spriet

I built the LEEF codec v1.0.1 from the https://github.com/avwsolutions/logstash-codec-leef repo. You can download it here https://s3.amazonaws.com/users.elasticsearch.org/colinsurprenant/logstash-codec-leef-1.0.1.gem

Please note that this is a community contributed codec that is not maintained nor tested by Elastic. As such we cannot provide support for that plugin.

Colin

christiaan.spriet · October 13, 2016, 7:38am

Hi,

Thanks Jakob & Colin.
I managed to install both the plugings.

Kind Regards,
Christiaan

tcresponj · October 20, 2016, 6:35pm

Does the LEEF Codec fix the issue with auto parsing in Qradar?

christiaan.spriet · October 21, 2016, 12:03pm

Hi Antonio,

currently it's still not working for us.
I managed to send the messages towards Qradar, but the auto-parsing doesn't work.
I'm asking IBM the reason for this.

KR,
Christiaan

tcresponj · October 21, 2016, 3:29pm

We took the approach of stripping the logstash headers and pass the raw message to Qradar. This seemed to enable the auto-parsing. For example we were able to get SEPM logs to pass and auto parse.

We are trying to play with the headers and a syslog output instead of a udp output to Qradar.

Hope this helps.

christiaan.spriet · October 24, 2016, 6:52am

Hi Antonio,

that's the idea we wanted to try aswell.
Do you have any example configuration you could share that is working for you?

Thanks a lot!
Christiaan

tcresponj · October 24, 2016, 7:59pm

Christiaan,

You want to try something like this. Where you want to just catch and pass the message forward. The ASA though gets a little funky so you have to do a grok match and then a syslog output.

filter {
if "syslog" in [tags] {
grok {
match => {"message" => "(?.*)"}
}
}
if "%ASA-" in [message] {
grok {
match => { "message" => "%{SYSLOG5424PRI}%{CISCOTIMESTAMP} %{IP:host} : %ASA-%{GREEDYDATA}" }
add_tag => "ASA"
}
}
}

output {
if "ASA" in [tags]
{
syslog
{
host => "[destination]"
port => "514"
}
}
else
{
udp
{
host => "[destination]"
port => "514"
codec => line { format => "%{syslog}" }
}
}
}

Hope this helps.

christiaan.spriet · November 2, 2016, 12:33pm

appreciate the help.
unfortunately it's still not working for us.

Could you share an example log & your complete configuration perhaps in a private mail?

Thx

system · July 6, 2017, 4:31am