Configuring audit log forwarding for QRadar

You can configure audit log forwarding from IBM® Security QRadar Suite to IBM QRadar on Cloud and IBM QRadar 7.5.0 or later.

Before you begin

Verify that the following requirements are met:

Access to QRadar on Cloud or IBM QRadar 7.5.0 or later Console GUI.
Access to QRadar on Cloud or IBM QRadar 7.5.0 or later backend (SSH).
Access to IBM Security QRadar Suite cluster backend (oc login)
A TLS Certificate
- For QRadar on Cloud, the TLS certificate (PKCS12 Certificate Chain and Password) is provided and deployed by QRadar on Cloud support. For more information, see Sending TLS syslog data to the QRadar Console.
- For IBM QRadar 7.5.0 or later, you need to provide your own TLS certificate.

Configuring a new log source on the IBM QRadar Console or IBM QRadar on Cloud console

To correctly receive the logs from IBM Security QRadar Suite, create a new TLS syslog log source on the IBM QRadar console.

IBM QRadar on Cloud

Procedure

To create a new log source on QRadar on Cloud and to request the TLS certificate from support, complete the step in Sending TLS syslog data to the QRadar Console.

Important: The value that you add in the Log Source Identifier field in step 7 is used for the audit.syslog.hostname field when you create the CP4SConfiguration CR.

IBM QRadar 7.5.0 or later

Procedure

Login to IBM QRadar Console GUI.
On the Admin tab, go to the Apps section and click the QRadar Log Source Management icon.
Click + New Log Source, then click Single Log Source.
On the Select a Log Source Type page, select the Kubernetes Auditing log source type, and click Select Protocol Type.
On the Select a Protocol Type page, select TLS Syslog protocol, and click Configure Log Source Parameters.
Configure the common parameters for your log source. You can set the Target Event Collector to Console or Event processor.
Configure the protocol-specific parameters for your log source.
1. Update the Log Source Identifier field.
2. In the TLS Listen Port field, enter 6514.
  Port 6514 is the only port available for TLS syslog.
3. In the Server Certificate Type field, select PKCS12 Certificate Chain and Password to provide your own certificates.
  
  If your certificates are in PEM format, you can Convert PEM certificates to PKCS12 format.
  
  You need to copy the PKCS12 Certificate to IBM QRadar VM. Take note of the path to where the file was copied.
  
  In the new Log Source screen, enter the PKCS12 Server Certificate Path (where the file was copied to on IBM QRadar VM) and PKCS12 Password values.
  
  Important: The value that you add in the Log Source Identifier field is used for the audit.syslog.hostname field when you create the CP4SConfiguration CR.
Click Save.
On the Admin tab, click Deploy Changes.

Adding a CA Certificate to IBM Security QRadar Suite

If your TLS certificate is not signed by a well-known certificate authority (CA), create a new secret on IBM Security QRadar Suite.

Procedure

Login to IBM Security QRadar Suite backend (oc login).
Create the audit-certs secret by running the following command, where <ca_cert_file> is the CA root certificate.
```
oc create secret generic audit-certs --from-file=syslog.crt=<ca_cert_file>
```

Enabling audit log forwarding

Procedure

After creating the new log source and secret, create the CP4SConfiguration CR.

This CR enables the audit log forwarding and contains information about the QRadar on Cloud or IBM QRadar host and other optional configurations.

The following table shows the information that is needed on the CP4SConfiguration CR .yaml file.

Table 1. CP4SConfiguration CR .yaml file fields
Field	Values
audit.syslog.enableSIEM	true
audit.syslog.host	<QRoC_QRadar_hostname>
audit.syslog.port	6514
audit.syslog.enableTLS	true
audit.syslog.hostname	<cp4s_identifier>

Create a CP4SConfiguration CR .yaml file with the following content.

apiVersion: isc.ibm.com/v1
kind: CP4SConfiguration
metadata:
  name: enable-audit
spec:
  values:
  - audit.syslog.enableSIEM=true
  - audit.syslog.host=logs-<QRoC_QRadar_hostname>
  - audit.syslog.port=6514
  - audit.syslog.enableTLS=true
  - audit.syslog.hostname=<cp4s_identifier>

Important:

For IBM QRadar 7.5.0 or later, the value of audit.syslog.host is the IBM QRadar fully qualified domain name (FQDN).
For QRadar on Cloud, the value of audit.syslog.host is the IBM QRadar fully qualified domain name (FQDN) with prefix logs-. For example, if your console address is console-######.qradar.ibmcloud.com, enter logs-console-######.qradar.ibmcloud.com for the audit.syslog.host option. The certificate that is provided by QRadar on Cloud support also matches logs-<qroc_fqdn>.
The value of audit.syslog.hostname=<cp4s_identifier> must match the value that is used for the Log Source Identifier field when the new log source was created in the previous step.

Apply the CP4SConfiguration CR by typing the following command, where <file_name> is the name of the .yaml file that you created in previous step.
```
oc apply -f <file_name>.yaml
```
- A fluentd pod (audit-fluentd-yyyyyyyyyy-xxxxx) starts on the same namespace.
- Audit logs are forwarded to IBM QRadar or QRadar on Cloud.

What to do next

You can verify that the process works by completing the following steps:

Log in to the IBM QRadar Console.
Go to the Log Activity Tab.
You can see the IBM Security QRadar Suite logs in the list.
The Log Source column displays the name of the new log source.

Disabling audit log forwarding

You can disable audit log forwarding globally for all services or individually only for specific services.

Disabling globally

Procedure

To disable audit log forwarding globally, you need to remove the CP4SConfiguration CR by running the following command:

oc delete CP4SConfiguration enable-audit

Disabling for single applications

When audit log forwarding is enabled globally in the cluster, it is enabled for all services by default. You can individually disable audit log forwarding for specific services.

About this task

You can individually disable audit log forwarding for the following services:

aitk.audit=false
audit.cases.enabled=false
authsvc.audit=false
car.audit=false
clx.audit=false
de.audit=false
drc.audit=false
drcapi.audit=false
edgegateway.audit=false
entitlements.audit=false
iscauth.audit=false
pulse.audit=false
qproxy.audit=false
riskmanager.audit=false
threatinv.audit=false
tii.tiiapp.audit=false
tii.tiireports.audit=false
tii.tiisearch.audit=false
tii.tiisettings.audit=false
tii.tiithreats.audit=false
tisvars.audit=false
udi.audit=false

Procedure

To disable audit log forwarding for specific services, create a new CR and add the services that you want to disable.

The following example disables audit log forwarding for the authsvc and clx services:

apiVersion: isc.ibm.com/v1
kind: CP4SConfiguration
metadata:
  name: tune-audit
spec:
  values:
  - authsvc.audit=false
  - clx.audit=false

Important:

The new CR must have a different name. In this example, the new CR is named tune-audit.
To rollback the changes, the created tune-audit CR must be edited or deleted.

Converting PEM certificates to PKCS12 format

PEM certificates need to be converted to the PKCS12 format to be used in a new log source.

Procedure

To convert the certificates, you need the public certificate file, the private key file, and the CA certificate file. For example, if that the files are named in the following order: tls.crt, tls.key, and ca.crt, run the following command:
```
openssl pkcs12 -export -out tls.p12 -inkey tls.key -in tls.crt -certfile ca.crt
```
Set a password and confirm it. This password is needed to create a new log source.

Configuring DNS overwrite

The hostname that is specified in the CP4SConfiguration CR must match the remote TLS certificate that is associated with the connection. The hostname is not always associated with correct DNS record.

Procedure

To force a DNS overwrite, you can add the following host alias settings to the CP4SConfiguration CR:

audit.hostAliases.syslog.ip=<qradar_ip>
audit.hostAliases.syslog.hostnames.main=<qradar_hostname>

Parsing cluster audit logs on IBM QRadar

You can use the Device Support Module (DSM) editor to map your product audit events to IBM QRadar.

Procedure

To map your product audit events to IBM QRadar event model by using the DSM (Device Support Module) editor, complete the steps in IBM QRadar log source extension to parse your cluster audit logs.