Configuring event properties for generic firewall events
You must manually configure IBM QRadar to interpret the incoming generic firewall events.
Procedure
-
Forward all firewall logs to QRadar.
For information about forwarding firewall logs from your generic firewall to QRadar, see the vendor documentation for your firewall events.
-
Open the following file:
/opt/QRadar/conf/genericFirewall.conf
Make sure you copy this file to systems that host the Event Collector and the QRadar Console.
-
Restart the Tomcat server:
service tomcat restart
A message is displayed indicating that the Tomcat server is restarted.
-
Enable or disable regular expressions in your patterns by setting the
regex_enabled property. By default, regular expressions are disabled.
For example:
regex_enabled=false
When you set the regex_enabled property to false, the system generates regular expressions based on the tags you entered while you try to retrieve the corresponding data values from the logs.
When you set the regex_enabled property to true, you can define custom regex to control patterns. These regex configurations are directly applied to the logs and the first captured group is returned. When you define custom regex patterns, you must adhere to regex rules, as defined by the Java™ programming language. For more information, see http://download.oracle.com/javase/tutorial/essential/regex/.
To integrate a generic firewall with QRadar, make sure that you specify the classes directly instead of using the predefined classes. For example, the digit class
(/\d/)
becomes/[0-9]/
. Rewrite the expression to use the primitive qualifiers(/?/,/*/ and /+/)
rather than using numeric qualifiers. - Add the following lines to the genericFirewall.conf file:
accept_pattern=<accept pattern> deny_pattern=<deny pattern> source_ip_pattern=<source ip pattern> source_port_pattern=<source port pattern> destination_ip_pattern=<destination ip pattern>
The following table provides examples of values that you can use for each pattern.
Pattern Value Example accept pattern=<accept pattern>
Packet accepted The following log message shows
accept pattern
=Packet accepted
:Aug. 5, 2005 08:30:00 Packet accepted. Source IP: <Source_IP_address> Source Port: 80 Destination IP: <Destination_IP_address> Destination Port: 80 Protocol: tcp
deny_pattern=<deny pattern>
Packet denied The following log message shows
deny_pattern
=Packet denied
:Aug. 5, 2005 08:30:00 Packet denied. Source IP: <Source_IP_address> Source Port: 21 Destination IP: <Destination_IP_address> Destination Port: 21 Protocol: tcp
source_ip_pattern=<source IP pattern>
from The following log message shows
source_ip_pattern
=Source IP
:Aug. 5, 2005 08:30:00 Packet accepted. Source IP: <Source_IP_address> Source Port: 80 Destination IP: <Destination_IP_address> Destination Port: 80 Protocol: tcp
source_port_pattern=<source port pattern>
port The following log message shows
source_port_pattern
=Source Port
:Aug. 5, 2005 08:30:00 Packet accepted. Source IP: <Source_IP_address> Source Port: 80 Destination IP: <Destination_IP_address> Destination Port: 80 Protocol: tcp
destination_ip_pattern=<destination IP pattern
>from The following log message shows
destination_ip_pattern
=Destination IP
.Aug. 5, 2005 08:30:00 Packet accepted. Source IP: <Source_IP_address> Source Port: 80 Destination IP: <Destination_IP_address> Destination Port: 80 Protocol: tcp
destination_port_pattern=<destination port pattern>
port The following log message shows
destination_port_pattern
=Destination Port
:Aug. 5, 2005 08:30:00 Packet accepted. Source IP: <Source_IP_address> Source Port: 80 Destination IP: <Destination_IP_address> Destination Port: 80 Protocol: tcp
protocol_pattern=<protocol pattern>
protocol The following log message shows
protocol_pattern
=Protocol
:Aug. 5, 2005 08:30:00 Packet accepted. Source IP: <Source_IP_address> Source Port: 80 Destination IP: <Destination_IP_address> Destination Port: 80 Protocol: tcp
Tip: Patterns are case-insensitive and you can add multiple patterns. For multiple patterns, separate by using a#
symbol. - Save and exit the file.