OpenStack

The IBM QRadar DSM for OpenStack collects event logs from your OpenStack device.

The following table identifies the specifications for the OpenStack DSM:
Table 1. OpenStack DSM specifications
Specification Value
Manufacturer OpenStack
DSM name OpenStack
RPM file name DSM-OpenStackCeilometer-QRadar_version-build_number.noarch.rpm
Supported versions V2015.1
Protocol HTTP Receiver
Recorded event types Audit event
Automatically discovered? No
Includes identity? No
Includes custom properties? No
More information OpenStack website (http://www.openstack.org/)
To send events from OpenStack to QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM® Support Website onto your QRadar Console:
    • PROTOCOL-HTTPReceiver RPM
    • OpenStack DSM RPM
  2. Add an OpenStack log source on the QRadar Console. The following table describes the parameters that are required to collect OpenStack events:
    Table 2. OpenStack log source parameters
    Parameter Value
    Log Source type OpenStack
    Log Source Identifier The IP address of the OpenStack server, and not the host name.
    Protocol Configuration HTTPReceiver
    Communication Type HTTP
    Listen Port The port number that OpenStack uses to communicate with QRadar.
    Important: Do not use Port 514. Port 514 is used by the standard Syslog listener.
    Message Pattern ^\{"typeURI
  3. Configure your OpenStack device to communicate with QRadar.
The following table provides a sample event message for the OpenStack DSM:
Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Table 3. OpenStack sample message supported by the OpenStack device
Event name Low level category Sample log message
Lists details for all servers Read activity attempted
 {"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event", "eventTime": "2014-12-09T00:18:52.063878+0000", "target": {"typeURI": "service/compute/servers/detail", "id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "nova", "addresses": [{"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "admin"}, {"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "private"}, {"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "public"}]}, "observer": {"id": "target"}, "tags": ["correlation_id?value=openstack:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"], "eventType": "activity", "initiator": {"typeURI": "service/security/account/user", "name": "admin", "credential": {"token": "xxxx xxxxxxxx xxxx", "identity_status": "Confirmed"}, "host": {"agent": "python-novaclient", "address": "<IP_address>"}, "project_id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}, "action": "read/list", "outcome": "pending", "id": "openstack:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",