Configuring Imperva Incapsula to communicate with QRadar

To collect events from Imperva Incapsula, a Python script is required.

The script, configuration files, and instructions, can be obtained from the GitHub website (https://github.com/imperva/incapsula/logs-downloader).

Procedure

  1. Install the script dependencies by using a package manager such as apt-get or pip. The script dependencies must be installed on an intermediary server that is not QRadar. The following dependencies might require additional modules, depending on your operating system:
    • M2Crypto
    • loggerglue
    • crypto.cipher
  2. To collect log events, run the script.
    1. Create a new local directory or use the default directory to store the script configuration file. The Settings.Config file is stored in this local directory. The default directory is /etc/incapsula/logs/config. To get the Settings.Config file, go to the GitHub website (https://github.com/imperva/incapsula-logs-downloader).
    2. Configure the parameter values for the Settings.Config configuration file.
      Table 1. Parameter values for the Settings.Config configuration file
      Parameter Value
      APIID Your API ID.
      APIKEY Your API key.
      SAVE_LOCALLY A Yes or No value that instructs Incapsula whether to maintain the log files after they are processed. When set to No, the files are deleted.

      The default is YES.
      PROCESS_DIR

      The directory where Incapsula automatically saves the logs after extracting them.

      The default is /tmp/processed/
      BASEURL

      The URL of your logs repository in the Incapsula cloud. This URL is displayed in the Incapsula Administration Console Settings window as the Log Server URL field.
      USEPROXY Specify YES to use a proxy to download the files.

      The default is NO.
      PROXYSERVER

      If you choose to use a proxy server, when you type the proxy URL, use the <https://1.1.1.1:8080> format.
      SYSLOG_ENABLE

      Type YES.

      A Yes or No value that instructs Incapsula about whether to send the files by using syslog.

      The default is YES.
      SYSLOG_ADDRESS The IP address for QRadar®
      SYSLOG_PORT 514
      USE_CUSTOM_CA_FILE

      In case the service's certificate is not in the bundle, the default is NO.
      CUSTOM_CA_FILE The file path for the custom certificate file.
  3. Run the following command to start the LogsDownloader script and retrieve logs: 
    python LogsDownloader.py -c <path_to_config_folder> -l <path_to_system_logs_folder> -v <system_logs_level>

    The -c, -l, and -v parameters are optional. If the parameter values are not specified, the following table describes the default values that are used:

    Table 2. LogsDownloader.py parameter values
    Parameter Value
    <path_to_config_folder> The default is

    /etc/incapsula/logs/config
    <path_to_system_logs_folder>

    The <path_to_system_logs_folder> is the folder where the LogsDownloader.py script output log file is stored. This parameter does not refer to your Incapsula logs.

    The default is /var/log/incapsula/logsDownloader/
    <system_logs_level>

    The logging level for the script output log. Supported values are info, debug, and error.

    The default value is info.

    Note:
    • If the SAVE_LOCALLY parameter is set to YES, the downloaded log files can be found in the PROCESS_DIR directory.
    • After the files are downloaded, the script saves the name of the last file it collects as LastKnownDownloadedFileId.txt in the <path_to_config_folder> directory. If you want to collect all of the historical logs, you must delete this file.
    • For more information about setting up an intermediary server, see Imperva Incapsula's Web Protection - Log Integration (https://docs.imperva.com/bundle/cloud-application-security/page/settings/log-integration.htm).