Log File log source parameters for ThreatGRID Malware Threat Intelligence Platform
If QRadar does not automatically detect the log source, add a ThreatGRID Malware Threat Intelligence Platform log source on the QRadar Console by using the Log File protocol.
When using the Log File protocol, there are specific parameters that you must use.
Parameter | Value |
---|---|
Log Source Name | Type a name for your log source |
Log Source Description | Type a description for the log source. |
Log Source Type | ThreatGRID Malware Intelligence Platform |
Protocol Configuration | Log File |
Log Source Identifier |
Type an IP address, host name, or name to identify the event source. The log source identifier must be unique for the log source type. |
Service Type |
From the list, select the protocol that you want to use to retrieve log files from a remote server. The default is SFTP.
The SCP and SFTP service type requires that the host server in the Remote IP or Hostname field has the SFTP subsystem enabled. |
Remote IP or Hostname |
Type the IP address or host name of the ThreatGRID server that contains your event log files. |
Remote Port |
Type the port number for the protocol that is selected to retrieve the event logs from your ThreatGRID server. The valid range is 1 - 65535. The list of default service type port numbers:
|
Remote User |
Type the user name that is required to log in to the ThreatGRID web server that contains your audit event logs. The user name can be up to 255 characters in length. |
Remote Password |
Type the password to log in to your ThreatGRID server. |
Confirm Password |
Confirm the password to log in to your ThreatGRID server |
SSH Key File |
If you select SCP or SFTP as the Service Type, use this parameter to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored. |
Remote Directory |
Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in. For FTP only. If your log files are in the remote user's home directory, you can leave the remote directory blank. Blank values in the Remote Directory field support systems that have operating systems where a change in the working directory (CWD) command is restricted. |
Recursive |
Select this check box if you want the file pattern to search sub folders in the remote directory. By default, the check box is clear. The Recursive parameter is ignored if you configure SCP as the Service Type. |
FTP File Pattern |
Type the regular expression (regex) required to filter the list of files that are specified in the Remote Directory. All files that match the regular expression are retrieved and processed. The FTP file pattern must match the name that you assigned to your ThreatGRID event log. For example, to collect files that start with leef or LEEF and ends with a text file extension, type the following value:
Use of this parameter requires knowledge of regular expressions (regex). This parameter applies to log sources that are configured to use FTP or SFTP. |
FTP Transfer Mode |
If you select FTP as the Service Type, from the list, select ASCII. ASCII is required for text-based event logs. |
SCP Remote File |
If you select SCP as the Service Type, type the file name of the remote file. |
Start Time |
Type a time value to represent the time of day you want the log file protocol to start. The start time is based on a 24 hour clock and uses the following format: HH:MM. For example, type 00:00 to schedule the Log File protocol to collect event files at midnight. This parameter functions with the Recurrence field value to establish when your ThreatGRID server is polled for new event log files. |
Recurrence |
Type the frequency that you want to scan the remote directory on your ThreatGRID server for new event log files. Type this value in hours (H), minutes (M), or days (D). For example, type 2H to scan the remote directory every 2 hours from the start time. The default recurrence value is 1H. The minimum time interval is 15M. |
Run On Save |
Select this check box if you want the log file protocol to run immediately after you click Save. After the save action completes, the log file protocol follows your configured start time and recurrence schedule. Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter. |
EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The valid range is 100 to 5000. |
Processor |
From the list, select NONE. Processors allow event file archives to be expanded and processed for their events. Files are processed after they are downloaded. QRadar can process files in zip, gzip, tar, or tar+gzip archive format. |
Ignore Previously Processed File(s) |
Select this check box to track and ignore files that are already processed. QRadar examines the log files in the remote directory to determine whether the event log was processed by the log source. If a previously processed file is detected, the log source does not download the file. Only new or unprocessed event log files are downloaded by QRadar. This option applies to FTP and SFTP service types. |
Change Local Directory? |
Select this check box to define a local directory on your QRadar appliance to store event log files during processing. In most scenarios, you can leave this check box not selected. When this check box is selected, the Local Directory field is displayed. You can configure a local directory to temporarily store event log files. After the event log is processed, the events added to QRadar and event logs in the local directory are deleted. |
Event Generator |
From the Event Generator list, select LineByLine. The Event Generator applies extra processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created. |