Exporting Cloud Pak for Data audit records to QRadar

You can export your Cloud Pak for Data audit records to QRadar.

Before you begin

Best practice: You can run many of the commands in this task exactly as written if you set up environment variables for your installation. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

To export your audit records to QRadar, complete the following tasks:

  1. Add Cloud Pak for Data as a log source in QRadar.
  2. Configure Cloud Pak for Data to send events to QRadar.

    Choose the appropriate option for your environment:

Add Cloud Pak for Data as a log source in QRadar

In the QRadar client:

  1. Go to Admin > Log Sources.
  2. Click Add.
  3. Specify a name and description for the log source.
  4. Under Type, select ICP CADF Format, if available. If it's not available, select a generic log type.
  5. Change Protocol Configuration to one of the following options:
    • If TLS is enabled, select TLS Syslog.
    • If TLS is not enabled, select Syslog.
  6. Provide a unique identifier and ensure it is enabled.
  7. Provide an event collector.
  8. Optional: Select an Extension.
  9. Click Save.
  10. From the Admin menu, click Deploy Changes.

Edit the zen-audit-config configmap

You can edit the existing zen-audit-config configmap to connect to your QRadar environment.

From the Cloud Pak for Data cluster:

  1. Change to the project where Cloud Pak for Data is installed:
    oc project ${PROJECT_CPD_INSTANCE}
  2. Make a backup of the current zen-audit-config configmap.
  3. Edit the zen-audit-config config map:
    oc edit configmap zen-audit-config
  4. Update the configmap:
    1. Add the <store> configuration to the configmap.
      Tip: The zen-audit-config configmap includes a sample QRadar configuration, which is commented out by default.

      The <store> configuration must be inside the <match export export.** records records.** syslog syslog.**> tag and after the @type copy tag.

      Ensure that the entry is indented correctly.

    2. Replace the following variables with the appropriate values for your environment:
      <QRADAR-HOST>
      Replace <QRADAR-HOST> with the address of the QRadar host.
      <QRADAR-PORT>
      Replace <QRADAR-PORT> with the port on the QRadar server. The default port is 514.
      <CPD-HOSTNAME>
      Replace <CPD-HOSTNAME> with the hostname of the Cloud Pak for Data server.
    3. If you want to use TLS to connect to QRadar, replace <XXXXXXXXX> with the contents of the QRadar TLS certificate.

    The contents of the configmap depend on whether you want to use TLS:


    Configmap for connecting to QRadar using TLS (recommended)
    apiVersion: v1
    metadata:
      name: zen-audit-config
    data:
      ca.pem: |
        -----BEGIN CERTIFICATE-----
         <XXXXXXXXX>
        -----END CERTIFICATE-----
      fluent.conf: |-
        <match export export.** records records.** syslog syslog.**> 
          @type copy
          <store>
            @type remote_syslog
            host <QRADAR-HOST>       # Replace <QRADAR-HOST> with the address of the QRadar host
            port <QRADAR-PORT>       # Replace <QRADAR-PORT>. The default port is 514
            hostname <CPD-HOSTNAME>  # Replace <CPD-HOSTNAME> with the Cloud Pak for Data hostname 
            protocol tcp
            tls true                                 # Required to use TLS
            ca_file /fluentd/config/ca.pem           # Required to use TLS
            <format>
              @type json
            </format><buffer>
              flush_thread_count 2
              flush_interval 10s
              chunk_limit_size 2M
              queue_limit_length 32
              retry_max_interval 30
              retry_forever true
            </buffer>
          </store>
        </match>

    Configmap for connecting to QRadar without TLS
    apiVersion: v1
    metadata:
      name: zen-audit-config
    data:
      fluent.conf: |-
        <match export export.** records records.** syslog syslog.**> 
          @type copy
          <store>
            @type remote_syslog
            host <QRADAR-HOST>       # Replace <QRADAR-HOST> with the address of the QRadar host
            port <QRADAR-PORT>       # Replace <QRADAR-PORT>. The default port is 514
            hostname <CPD-HOSTNAME>  # Replace <CPD-HOSTNAME> with the Cloud Pak for Data hostname 
            protocol tcp
            <format>
              @type json
            </format><buffer>
              flush_thread_count 2
              flush_interval 10s
              chunk_limit_size 2M
              queue_limit_length 32
              retry_max_interval 30
              retry_forever true
            </buffer>
          </store>
        </match>

  5. Save the changes to the zen-audit-config configmap. For example, if you are using vi, hit esc and enter :wq.
  6. Delete all zen-audit pods to force a restart to pick up changes:
    1. Get the list of zen-audit pods:
      oc get pods | grep zen-audit
    2. Delete the zen-audit pods.
      Tip: If there are multiple zen-audit pods, delete each pod individually to avoid a forced restart.
      oc delete pods zen-audit-xxxxxx-xxx

      Replace zen-audit-xxxxxx-xxx with the ID returned by the oc get pods command.

Create a custom configmap

You can create a custom configmap to connect to your QRadar environment.

From the Cloud Pak for Data cluster:

  1. Change to the project where Cloud Pak for Data is installed:
    oc project ${PROJECT_CPD_INSTANCE}
  2. Set the following environment variables:
    1. Set CONFIGMAP_NAME to the name that you want to use for the custom configmap:
      export CONFIGMAP_NAME=<configmap-name>
    2. If you want to use TLS, set TLS_CERT to the TLS certificate:
      export TLS_CERT=<certificate>
    3. Set QRADAR-HOST to the address of the QRadar server:
      export QRADAR-HOST=<hostname>
    4. Set QRADAR-PORT to the port on the QRadar server. The default port is 514.
      export QRADAR-PORT=<port>
    5. Set CPD-HOSTNAME to the hostname of the Cloud Pak for Data server:
      export CPD-HOSTNAME=<hostname>
  3. Create the configmap:
    Configmap for connecting to QRadar using TLS (recommended)
    cat <<EOF | oc apply -f -
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: ${CONFIGMAP_NAME}
      namespace: ${PROJECT_CPD_INSTANCE}
    data:
      ca.pem: |
        -----BEGIN CERTIFICATE-----
         ${TLS_CERT}
        -----END CERTIFICATE-----
      fluent.conf: |-
        <match export export.** records records.** syslog syslog.**> 
          @type copy
          <store>
            @type remote_syslog
            host ${QRADAR-HOST}
            port ${QRADAR-PORT}
            hostname ${CPD-HOSTNAME}
            protocol tcp
            tls true                                 # Required to use TLS
            ca_file /fluentd/config/ca.pem           # Required to use TLS; specify the cert in the ca.pem section
            <format>
              @type json
            </format><buffer>
              flush_thread_count 2
              flush_interval 10s
              chunk_limit_size 2M
              queue_limit_length 32
              retry_max_interval 30
              retry_forever true
            </buffer>
          </store>
        </match>
    EOF

    Configmap for connecting to QRadar without TLS
    cat <<EOF | oc apply -f -
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: ${CONFIGMAP_NAME}
      namespace: ${PROJECT_CPD_INSTANCE}
    data:
      fluent.conf: |-
        <match export export.** records records.** syslog syslog.**> 
          @type copy
          <store>
            @type remote_syslog
            host ${QRADAR-HOST}
            port ${QRADAR-PORT}
            hostname ${CPD-HOSTNAME}
            protocol tcp
            <format>
              @type json
            </format><buffer>
              flush_thread_count 2
              flush_interval 10s
              chunk_limit_size 2M
              queue_limit_length 32
              retry_max_interval 30
              retry_forever true
            </buffer>
          </store>
        </match>
    EOF

  4. Patch the zenService custom resource to specify the custom configmap:
    oc patch zenService lite-cr \
    -n ${PROJECT_CPD_INSTANCE} \
    --type='json' \
    --patch '[{"op": "replace", "path":"/spec/zen_audit_config_custom", "value": '${CONFIGMAP_NAME}' }]'
  5. Delete all zen-audit pods to force a restart to pick up changes:
    1. Get the list of zen-audit pods:
      oc get pods | grep zen-audit
    2. Delete the zen-audit pods.
      Tip: If there are multiple zen-audit pods, delete each pod individually to avoid a forced restart.
      oc delete pods zen-audit-xxxxxx-xxx

      Replace zen-audit-xxxxxx-xxx with the ID returned by the oc get pods command.

Results

After the changes are applied, new audit events from Cloud Pak for Data are sent to QRadar.