Exporting Cloud Pak for Data audit records to QRadar
Before you begin
Ensure that you source the environment variables before you run the commands in this task.
About this task
To export your audit records to QRadar, complete the following tasks:
- Add Cloud Pak for Data as a log source in QRadar.
- Configure Cloud Pak for Data to send events to
QRadar.
Choose the appropriate option for your environment:
Add Cloud Pak for Data as a log source in QRadar
In the QRadar client:
- Go to .
- Click Add.
- Specify a name and description for the log source.
- Under Type, select ICP CADF Format, if available. If it's not available, select a generic log type.
- Change Protocol Configuration to one of the following options:
- If TLS is enabled, select TLS Syslog.
- If TLS is not enabled, select Syslog.
- Provide a unique identifier and ensure it is enabled.
- Provide an event collector.
- Optional: Select an Extension.
- Click Save.
- From the Admin menu, click Deploy Changes.
Edit the zen-audit-config
configmap
You can edit the existing zen-audit-config
configmap to connect to your QRadar environment.
From the Cloud Pak for Data cluster:
- Change to the project where Cloud Pak for Data is
installed:
oc project ${PROJECT_CPD_INSTANCE}
- Make a backup of the current
zen-audit-config
configmap. - Edit the
zen-audit-config
config map:oc edit configmap zen-audit-config
- Update the configmap:
- Add the
<store>
configuration to the configmap.Tip: Thezen-audit-config
configmap includes a sample QRadar configuration, which is commented out by default.The
<store>
configuration must be inside the<match export export.** records records.** syslog syslog.**>
tag and after the@type copy
tag.Ensure that the entry is indented correctly.
- Replace the following variables with the appropriate values for your environment:
- <QRADAR-HOST>
- Replace
<QRADAR-HOST>
with the address of the QRadar host. - <QRADAR-PORT>
- Replace
<QRADAR-PORT>
with the port on the QRadar server. The default port is 514. - <CPD-HOSTNAME>
- Replace
<CPD-HOSTNAME>
with the hostname of the Cloud Pak for Data server.
- If you want to use TLS to connect to QRadar, replace
<XXXXXXXXX>
with the contents of the QRadar TLS certificate.
The contents of the configmap depend on whether you want to use TLS:
Configmap for connecting to QRadar using TLS (recommended)
apiVersion: v1 metadata: name: zen-audit-config data: ca.pem: | -----BEGIN CERTIFICATE----- <XXXXXXXXX> -----END CERTIFICATE----- fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type remote_syslog host <QRADAR-HOST> # Replace <QRADAR-HOST> with the address of the QRadar host port <QRADAR-PORT> # Replace <QRADAR-PORT>. The default port is 514 hostname <CPD-HOSTNAME> # Replace <CPD-HOSTNAME> with the Cloud Pak for Data hostname protocol tcp tls true # Required to use TLS ca_file /fluentd/config/ca.pem # Required to use TLS <format> @type json </format><buffer> flush_thread_count 2 flush_interval 10s chunk_limit_size 2M queue_limit_length 32 retry_max_interval 30 retry_forever true </buffer> </store> </match>
Configmap for connecting to QRadar without TLS
apiVersion: v1 metadata: name: zen-audit-config data: fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type remote_syslog host <QRADAR-HOST> # Replace <QRADAR-HOST> with the address of the QRadar host port <QRADAR-PORT> # Replace <QRADAR-PORT>. The default port is 514 hostname <CPD-HOSTNAME> # Replace <CPD-HOSTNAME> with the Cloud Pak for Data hostname protocol tcp <format> @type json </format><buffer> flush_thread_count 2 flush_interval 10s chunk_limit_size 2M queue_limit_length 32 retry_max_interval 30 retry_forever true </buffer> </store> </match>
- Add the
- Save the changes to the
zen-audit-config
configmap. For example, if you are usingvi
, hit esc and enter :wq. - Delete all
zen-audit
pods to force a restart to pick up changes:- Get the list of
zen-audit
pods:oc get pods | grep zen-audit
- Delete the
zen-audit
pods.Tip: If there are multiplezen-audit
pods, delete each pod individually to avoid a forced restart.oc delete pods zen-audit-xxxxxx-xxx
Replace
zen-audit-xxxxxx-xxx
with the ID returned by theoc get pods
command.
- Get the list of
Create a custom configmap
You can create a custom configmap to connect to your QRadar environment.
From the Cloud Pak for Data cluster:
- Change to the project where Cloud Pak for Data is
installed:
oc project ${PROJECT_CPD_INSTANCE}
- Set the following environment variables:
- Set
CONFIGMAP_NAME
to the name that you want to use for the custom configmap:export CONFIGMAP_NAME=<configmap-name>
- If you want to use TLS, set
TLS_CERT
to the TLS certificate:export TLS_CERT=<certificate>
- Set
QRADAR-HOST
to the address of the QRadar server:export QRADAR-HOST=<hostname>
- Set
QRADAR-PORT
to the port on the QRadar server. The default port is514
.export QRADAR-PORT=<port>
- Set
CPD-HOSTNAME
to the hostname of the Cloud Pak for Data server:export CPD-HOSTNAME=<hostname>
- Set
- Create the configmap:
Configmap for connecting to QRadar using TLS (recommended)
cat <<EOF | oc apply -f - apiVersion: v1 kind: ConfigMap metadata: name: ${
CONFIGMAP_NAME
} namespace: ${PROJECT_CPD_INSTANCE} data: ca.pem: | -----BEGIN CERTIFICATE----- ${TLS_CERT
} -----END CERTIFICATE----- fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type remote_syslog host ${QRADAR-HOST
} port ${QRADAR-PORT
} hostname ${CPD-HOSTNAME
} protocol tcp tls true # Required to use TLS ca_file /fluentd/config/ca.pem # Required to use TLS; specify the cert in the ca.pem section <format> @type json </format><buffer> flush_thread_count 2 flush_interval 10s chunk_limit_size 2M queue_limit_length 32 retry_max_interval 30 retry_forever true </buffer> </store> </match> EOF
Configmap for connecting to QRadar without TLS
cat <<EOF | oc apply -f - apiVersion: v1 kind: ConfigMap metadata: name: ${
CONFIGMAP_NAME
} namespace: ${PROJECT_CPD_INSTANCE} data: fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type remote_syslog host ${QRADAR-HOST
} port ${QRADAR-PORT
} hostname ${CPD-HOSTNAME
} protocol tcp <format> @type json </format><buffer> flush_thread_count 2 flush_interval 10s chunk_limit_size 2M queue_limit_length 32 retry_max_interval 30 retry_forever true </buffer> </store> </match> EOF
- Patch the
zenService
custom resource to specify the custom configmap:oc patch zenService lite-cr \ -n ${PROJECT_CPD_INSTANCE} \ --type='json' \ --patch '[{"op": "replace", "path":"/spec/zen_audit_config_custom", "value": '${
CONFIGMAP_NAME
}' }]' - Delete all
zen-audit
pods to force a restart to pick up changes:- Get the list of
zen-audit
pods:oc get pods | grep zen-audit
- Delete the
zen-audit
pods.Tip: If there are multiplezen-audit
pods, delete each pod individually to avoid a forced restart.oc delete pods zen-audit-xxxxxx-xxx
Replace
zen-audit-xxxxxx-xxx
with the ID returned by theoc get pods
command.
- Get the list of
Results
After the changes are applied, new audit events from Cloud Pak for Data are sent to QRadar.