Alibaba Cloud Object Storage protocol configuration options

The Alibaba Cloud Object Storage protocol for IBM QRadar is an active outbound protocol that collects logs that are contained in objects from Alibaba Cloud Object Storage buckets.

Important: Before you configure the Alibaba Cloud Object Storage protocol, configure user access roles and service credentials to access the Alibaba Cloud Object Storage buckets.
  • Grant permissions to another Alibaba Cloud account or to specific users, so they can access or manage resources in a bucket. For more information about user access roles and permissions, see Bucket policy overview (https://www.alibabacloud.com/help/en/oss/user-guide/overview).
  • Create service credentials. For more information, see Obtain an AccessKey pair (https://www.alibabacloud.com/help/en/beginner-guide/latest/obtain-an-accesskey-pair).
Table 1. Alibaba Cloud Object Storage protocol common log source parameters
Parameter Description
Protocol Configuration Alibaba Cloud Object Storage Service
Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured Alibaba Cloud Object Storage log source, ensure that you give each one a unique name.

Access Key ID The Access Key ID generates when you configure the service credentials.
Secret Access Key The Secret Access Key generates when you configure the service credentials.
Endpoint The public endpoint on the bucket configuration page. For more information, see Regions and endpoints (https://www.alibabacloud.com/help/en/oss/user-guide/regions-and-endpoints).
Bucket Name The name of the bucket that logs are stored in.
Prefix The prefix filter value to limit collecting objects or file keys that begin with the prefix. To pull all files from the bucket, use a forward slash (/).
Important: Changing the Prefix value clears the persisted file marker. All files that match the new prefix are downloaded in the next pull. If the Prefix file path is used to specify folders, you must not begin the file path with a forward slash. For example, use folder1/folder2 instead.
Event Format

The following event formats are supported:

ActionTrail
Raw log files that contain an array of records. You can use .gz files for compression.
LINEBYLINE
Raw log files that contain one record per line. You can use either .gz, .gzip, or .zip files for compression.
Use As A Gateway Log Source

Select this option for the collected events to flow through the QRadar Traffic Analysis engine and for the QRadar to automatically detect one or more log sources.

When you select this option, you can optionally use the Log Source Identifier Pattern to define a custom Log Source Identifier for the events that are being processed.

Log Source Identifier Pattern

If you select Use As A Gateway Log Source, you can define a custom log source identifier. Use this option for events that are being processed and for log sources that are automatically discovered.

If you do not configure the Log Source Identifier Pattern, QRadar receives events as unknown generic log sources.

Use key-value pairs to define the custom log source identifier. The key is the identifier format string, which is the resulting source or origin value. The value is the associated regex pattern that is used to evaluate the current payload. This value also supports capture groups that can be used to further customize the key.

Define multiple key-value pairs by typing each pattern on a new line. Multiple patterns are evaluated in the order that they are listed. When a match is found, a custom log source identifier is displayed.

The following examples show multiple key-value pair functions:

Patterns VPC=\sREJECT\sFAILURE
$1=\s(REJECT)\sOK
VPC-$1-$2=\s(ACCEPT)\s(OK)
Events
{LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}
Resulting custom log source identifier VPC-ACCEPT-OK
Show Advanced Options To configure the advanced options for event collection, set this option to On.
File Pattern

Type a regex for the file pattern that matches the files that you want to pull, such as .*?\.json\.gz.

This option is available when you set Show Advanced Options to On.

Local Directory

The local directory on the Target Event Collector. The directory must exist before the protocol attempts to retrieve events.

This option is available when you set Show Advanced Options to On.

Use Proxy

If QRadar accesses Alibaba Cloud Object Storage by using a proxy, enable Use Proxy.

If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password parameters. If the proxy does not require authentication, leave the Proxy Username and Proxy Password fields blank.

Recurrence

Type a time interval to determine how frequently the protocol polls for new data. The time interval can include values in hours (H), minutes (M), or days (D). For example, 2H = 2 hours, 15M = 15 minutes, 30 = seconds.

The minimum value is 1M.

EPS Throttle

The maximum number of events per second that QRadar ingests.

If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

The default is 5000.