Good morning, I'm planning to use logstash to aggregate, filter and enrich logs from different log sources like syslog (proxy, firewall and AV) but also Microsoft Windows (WEC with agent for sending logs to the LogStash). I need to know how send data to the SIEM IBM Qradar for this reason I checked the output plugins list but IBM Qradar isn't supported. Anyone have experience how to send logs from logstash to IBM Qradar without breaking IBM Qradar parser? Thank you
I think you have to use Syslog if you want to output logs to QRadar.
Anyone have experience how to send logs from logstash to IBM Qradar without breaking IBM Qradar parser?
What do you mean by breaking parser?
Of course, if you define your own format and/or information in the Syslog message, QRadar won't be able to parser much more than Syslog header and message. You have to write your own DSM in QRadar if you want to parse the event into fields.
IIRC you can also use CEF format in Syslog message in order to ease the parsing effort.
I'm just studying how to use the syslog plugin output but my doubt remains as to how to discriminate the various sources. For example, if I send the logs of different firewalls through Logstash with syslog and then through the Logstash output syslog plugin to the SIEM how do I can discriminate the various log sources to the SIEM? Thank you
Like anywhere else, you can use Syslog headers hostname field: https://tools.ietf.org/html/rfc5424#page-13
This is also known as log source identifier in QRadar.
I think you can use output-syslogs sourcehost to spoof it to the original firewall identifier: https://www.elastic.co/guide/en/logstash/current/plugins-outputs-syslog.html#plugins-outputs-syslog-sourcehost
Or you can add the information into the message part and parse it out with DSM. But the first solution is way cleaner, if it works
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.