Alibaba Cloud Object Storage protocol configuration options
The Alibaba Cloud Object Storage protocol for IBM QRadar is an active outbound protocol that collects logs that are contained in objects from Alibaba Cloud Object Storage buckets.
- Grant permissions to another Alibaba Cloud account or to specific users, so they can access or manage resources in a bucket. For more information about user access roles and permissions, see Bucket policy overview (https://www.alibabacloud.com/help/en/oss/user-guide/overview).
- Create service credentials. For more information, see Obtain an AccessKey pair (https://www.alibabacloud.com/help/en/beginner-guide/latest/obtain-an-accesskey-pair).
Parameter | Description |
---|---|
Protocol Configuration | Alibaba Cloud Object Storage Service |
Log Source Identifier |
Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured Alibaba Cloud Object Storage log source, ensure that you give each one a unique name. |
Access Key ID | The Access Key ID generates when you configure the service credentials. |
Secret Access Key | The Secret Access Key generates when you configure the service credentials. |
Endpoint | The public endpoint on the bucket configuration page. For more information, see Regions and endpoints (https://www.alibabacloud.com/help/en/oss/user-guide/regions-and-endpoints). |
Bucket Name | The name of the bucket that logs are stored in. |
Prefix | The prefix filter value to limit collecting objects or file keys that begin with the prefix. To
pull all files from the bucket, use a forward slash (/). Important: Changing the Prefix value clears the persisted file marker. All files that
match the new prefix are downloaded in the next pull. If the Prefix file path is
used to specify folders, you must not begin the file path with a forward slash. For example, use
folder1/folder2 instead.
|
Event Format |
The following event formats are supported:
|
Use As A Gateway Log Source |
Select this option for the collected events to flow through the QRadar Traffic Analysis engine and for the QRadar to automatically detect one or more log sources. When you select this option, you can optionally use the Log Source Identifier Pattern to define a custom Log Source Identifier for the events that are being processed. |
Log Source Identifier Pattern |
If you select Use As A Gateway Log Source, you can define a custom log source identifier. Use this option for events that are being processed and for log sources that are automatically discovered. If you do not configure the Log Source Identifier Pattern, QRadar receives events as unknown generic log sources. Use key-value pairs to define the custom log source identifier. The key is the identifier format string, which is the resulting source or origin value. The value is the associated regex pattern that is used to evaluate the current payload. This value also supports capture groups that can be used to further customize the key. Define multiple key-value pairs by typing each pattern on a new line. Multiple patterns are evaluated in the order that they are listed. When a match is found, a custom log source identifier is displayed. The following examples show multiple key-value pair functions: Patterns VPC=\sREJECT\sFAILURE $1=\s(REJECT)\sOK VPC-$1-$2=\s(ACCEPT)\s(OK) Events {LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0} Resulting custom log source identifier VPC-ACCEPT-OK |
Show Advanced Options | To configure the advanced options for event collection, set this option to On. |
File Pattern |
Type a regex for the file pattern that matches the files that you want to pull, such as .*?\.json\.gz. This option is available when you set Show Advanced Options to On. |
Local Directory |
The local directory on the Target Event Collector. The directory must exist before the protocol attempts to retrieve events. This option is available when you set Show Advanced Options to On. |
Use Proxy |
If QRadar accesses Alibaba Cloud Object Storage by using a proxy, enable Use Proxy. If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password parameters. If the proxy does not require authentication, leave the Proxy Username and Proxy Password fields blank. |
Recurrence |
Type a time interval to determine how frequently the protocol polls for new data. The time interval can include values in hours (H), minutes (M), or days (D). For example, 2H = 2 hours, 15M = 15 minutes, 30 = seconds. The minimum value is 1M. |
EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The default is 5000. |