Configuring event properties for generic firewall events

You must manually configure IBM QRadar to interpret the incoming generic firewall events.

Procedure

  1. Forward all firewall logs to QRadar.

    For information about forwarding firewall logs from your generic firewall to QRadar, see the vendor documentation for your firewall events.

  2. Open the following file:

    /opt/QRadar/conf/genericFirewall.conf

    Make sure you copy this file to systems that host the Event Collector and the QRadar Console.

  3. Restart the Tomcat server:

    service tomcat restart

    A message is displayed indicating that the Tomcat server is restarted.

  4. Enable or disable regular expressions in your patterns by setting the regex_enabled property. By default, regular expressions are disabled.

    For example:

    regex_enabled=false

    When you set the regex_enabled property to false, the system generates regular expressions based on the tags you entered while you try to retrieve the corresponding data values from the logs.

    When you set the regex_enabled property to true, you can define custom regex to control patterns. These regex configurations are directly applied to the logs and the first captured group is returned. When you define custom regex patterns, you must adhere to regex rules, as defined by the Java™ programming language. For more information, see http://download.oracle.com/javase/tutorial/essential/regex/.

    To integrate a generic firewall with QRadar, make sure that you specify the classes directly instead of using the predefined classes. For example, the digit class (/\d/) becomes /[0-9]/. Rewrite the expression to use the primitive qualifiers (/?/,/*/ and /+/) rather than using numeric qualifiers.

  5. Add the following lines to the genericFirewall.conf file:
    accept_pattern=<accept pattern>
    deny_pattern=<deny pattern>
    source_ip_pattern=<source ip pattern>
    source_port_pattern=<source port pattern>
    destination_ip_pattern=<destination ip pattern>

    The following table provides examples of values that you can use for each pattern.

    Pattern Value Example
    accept pattern=<accept pattern> Packet accepted

    The following log message shows accept pattern=Packet accepted:

    Aug. 5, 2005 08:30:00 Packet accepted. Source IP: <Source_IP_address> Source Port: 80 Destination IP: <Destination_IP_address> Destination Port: 80 Protocol: tcp

    deny_pattern=<deny pattern> Packet denied

    The following log message shows deny_pattern=Packet denied:

    Aug. 5, 2005 08:30:00 Packet denied. Source IP: <Source_IP_address> Source Port: 21 Destination IP: <Destination_IP_address> Destination Port: 21 Protocol: tcp
    source_ip_pattern=<source IP pattern> from

    The following log message shows source_ip_pattern=Source IP:

    Aug. 5, 2005 08:30:00 Packet accepted. Source IP: <Source_IP_address> Source Port: 80 Destination IP: <Destination_IP_address> Destination Port: 80 Protocol: tcp
    source_port_pattern=<source port pattern> port

    The following log message shows source_port_pattern=Source Port:

    Aug. 5, 2005 08:30:00 Packet accepted. Source IP: <Source_IP_address> Source Port: 80 Destination IP: <Destination_IP_address> Destination Port: 80 Protocol: tcp
    destination_ip_pattern=<destination IP pattern> from

    The following log message shows destination_ip_pattern=Destination IP.

    Aug. 5, 2005 08:30:00 Packet accepted. Source IP: <Source_IP_address> Source Port: 80 Destination IP: <Destination_IP_address> Destination Port: 80 Protocol: tcp
    destination_port_pattern=<destination port pattern> port

    The following log message shows destination_port_pattern=Destination Port:

    Aug. 5, 2005 08:30:00 Packet accepted. Source IP: <Source_IP_address> Source Port: 80 Destination IP: <Destination_IP_address> Destination Port: 80 Protocol: tcp
    protocol_pattern=<protocol pattern> protocol

    The following log message shows protocol_pattern=Protocol:

    Aug. 5, 2005 08:30:00 Packet accepted. Source IP: <Source_IP_address> Source Port: 80 Destination IP: <Destination_IP_address> Destination Port: 80 Protocol: tcp
    Tip: Patterns are case-insensitive and you can add multiple patterns. For multiple patterns, separate by using a # symbol.
  6. Save and exit the file.

What to do next

You are now ready to configure the log source in QRadar.