OpenStack
The IBM QRadar DSM for OpenStack collects event logs from your OpenStack device.
The following table identifies the specifications for the OpenStack
DSM:
Specification | Value |
---|---|
Manufacturer | OpenStack |
DSM name | OpenStack |
RPM file name | DSM-OpenStackCeilometer-QRadar_version-build_number.noarch.rpm |
Supported versions | V2015.1 |
Protocol | HTTP Receiver |
Recorded event types | Audit event |
Automatically discovered? | No |
Includes identity? | No |
Includes custom properties? | No |
More information | OpenStack website (http://www.openstack.org/) |
To send events from OpenStack to QRadar,
complete the following steps:
- If automatic updates are not enabled, download and install the most recent version of the
following RPMs from the IBM® Support Website onto your QRadar
Console:
- PROTOCOL-HTTPReceiver RPM
- OpenStack DSM RPM
- Add an OpenStack log source on the QRadar
Console. The following table describes the parameters
that are required to collect OpenStack events:
Table 2. OpenStack log source parameters Parameter Value Log Source type OpenStack Log Source Identifier The IP address of the OpenStack server, and not the host name. Protocol Configuration HTTPReceiver Communication Type HTTP Listen Port The port number that OpenStack uses to communicate with QRadar. Important: Do not use Port 514. Port 514 is used by the standard Syslog listener.Message Pattern ^\{"typeURI - Configure your OpenStack device to communicate with QRadar.
The following table provides a sample event message for the OpenStack DSM:
Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage
return or line feed characters.
Event name | Low level category | Sample log message |
---|---|---|
Lists details for all servers | Read activity attempted |
|