Configuring OpenStack to communicate with QRadar
To collect OpenStack events, you must configure your OpenStack device to allow connections from QRadar.
Procedure
- Log in to your OpenStack device.
- Edit the /etc/nova/api-paste.ini file.
-
At the end of the file, add the following text:
[filter:audit] paste.filter_factory = pycadf.middleware.audit:AuditMiddleware.factory audit_map_file = /etc/nova/api_audit_map.conf
-
Review the
[composite:openstack_compute_api_v2]
settings and verify that the values match the following sample:[composite:openstack_compute_api_v2] use = call:nova.api.auth:pipeline_factory noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v2 keystone = faultwrap sizelimit authtoken keystonecontext ratelimit audit osapi_compute_app_v2 keystone_nolimit = faultwrap sizelimit authtoken keystonecontext audit osapi_compute_app_v2
- Copy the api_audit_map.conf file to the /etc/nova/ directory.
-
Restart the api service.
The command to restart the API service depends on what operating system your OpenStack node is hosted on. On Redhat Enterprise Linux systems, the command is service openstack-nova-api restart.
-
Open the entry_points.txt file in the
egg-info subdirectory of your OpenStack installation
directory.
For PackStack installations, the file path resembles the following path: /usr/lib/python2.7/site-packages/ceilometer-2014.2-py2.7.egg-info/entry_points.txt.
-
Add the http dispatcher to the
[ceilometer.dispatcher]
section.[ceilometer.dispatcher] file = ceilometer.dispatcher.file:FileDispatcher database = ceilometer.dispatcher.database:DatabaseDispatcher http = ceilometer.dispatcher.http:HttpDispatcher
-
Copy the supplied http.py script to the dispatcher
subdirectory of the Ceilometer installation directory.
The exact location depends on your operating system and OpenStack distribution. On the Redhat Enterprise Linux Distribution of OpenStack, the directory is /usr/lib/python2.7/site-packages/ceilometer/dispatcher/.
- Edit the /etc/ceilometer/ceilometer.conf file.
-
Under the
[default]
section, add dispatcher=http. -
At the bottom of the file, add this section:
[dispatcher_http] target = http://<QRadar-IP>:<QRadar-Port> cadf_only = True
Use the port that you configured for OpenStack when you created the log source on your QRadar system.
-
Restart the ceilometer collector and notification services.
The command to restart the ceilometer collector and notification services depends on what operating system your OpenStack device is hosted on. On devices that use the Redhat Enterprise Linux operating system, use the following commands:
service openstack-ceilometer-collector restart
service openstack-ceilometer-notification restart