Checking the integrity of event and flow logs

When log hashing is enabled, any system that writes event and flow data creates hash files. Use these hash files to verify that the event and flow logs were not modified since they were originally written to disk.

The hash files are generated in memory before the files are written to disk, so the event and flow logs cannot be tampered with before the hash files are generated.

Before you begin

Ensure that log hashing is enabled for your IBM QRadar system. For more information about enabling log hashing, see Enabling log hashing.

About this task

You must log in to the system that has the data storage for events and flows, and run a utility to check the logs. You cannot check the log integrity in the event and flow viewer interface.

Procedure

  1. Use SSH to log in to QRadar as the root user.
  2. To run the utility, type the following command: 
    /opt/qradar/bin/check_ariel_integrity.sh -d <duration> -n <database name> 
[-t <endtime>] [-a <hash algorithm>] [-r <hash root directory>] [-k <hmac key>]

    This table describes the parameters that are used with the check_ariel_integrity.sh utility.

    Table 1. Parameters for the check_ariel_integrity.sh utility
    Parameter Description
    -d Duration of time, in minutes, of the log file data to scan. The time period immediately precedes the end time that is specified using the -t parameter. For example, if -d 5 is entered, all log data that was collected five minutes before the -t end time is scanned.
    -n The QRadar database to scan. Valid options are events and flows.
    -t The end time for the scan. The format for the end time is "yyyy/mm/dd hh:mm" where hh is specified in 24-hour format. If no end time is entered, the current time is used.
    -a Hashing algorithm to use. This algorithm must be the same one that was used to create the hash keys. If no algorithm is entered, SHA-1 is used.
    -r The location of the log hashing. This argument is required only when the log hashing is not in the location that is specified in the configuration file, /opt/qradar/conf/arielConfig.xml.
    -k The key that is used for Hash-based Message Authentication Code (HMAC) encryption. If you do not specify an HMAC key and your system is enabled for HMAC encryption, the check_ariel_integrity.sh script defaults to the key specified in the system settings.
    -h Shows the help message for the check_ariel_integrity.sh utility.
    For example, to validate the last 10 minutes of event data, type the following command: 
    /opt/qradar/bin/check_ariel_integrity.sh -n events -d 10

Results

If an ERROR or FAILED message is returned, the hash key that is generated from the current data on the disk does not match the hash key that was created when the data was written to the disk. Either the key or the data was modified.