In my present lab setup I have few windows machines and linux machines with ossec agent installed and sending logs to ossec server. From OSSEC server I am forwarding the logs via syslog output to logstash. In logstash I am not doing any modification, simply I am forwarding the plain log to qradar as received(I verified it). It have alert level, rule and event. But in qradar it's showing single log source that is the logstash server. From logstash I send the logs as syslog to qradar. Ideally, in qradar all machines which are sending logs to ossec should be listed in log sources, but it's not happening. What's I am doing wrong here? Any help.. I followed this link https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/t_DSM_guide_OSSEC_cfg.html instead directly sending logs to qradar I placed a logstash in between.
Asked
Active
Viewed 897 times
1 Answers
0
I do not see anything wrong, if you have a Logstash between your devices and QRadar then the only log source that QRadar knows about is your Logstash server, it is the only service sending data to it.
If you want to see your ossec devices listed as log sources in QRadar I think that you will need to ship the logs directly to QRadar.
edit: I do not know QRadar very well, but if it is possible to use tags or custom fields to identifier a log source, maybe you can add a custom field in your logstash pipeline and QRadar will use this field to know that the log source is not your logstash server, but other device.
leandrojmp
- 7,082
- 2
- 19
- 24
-
So you are suggesting I have to send the log directly from ossec server so that it will list out all the devices. – iamvishnuks Dec 17 '18 at 14:56
-
It depends, if you need to see those devices as log sources, you need to send it to QRadar directly, if you send it to logstash and then to QRadar you will have the same data, but the 'log source', the service sending the data, will be listed as the logstash server. – leandrojmp Dec 17 '18 at 17:30