Configuring event properties for authorization events

You must manually configure IBM QRadar to interpret the incoming generic authorization events:

Procedure

  1. Forward all authentication server logs to your QRadar system.

    For information about forwarding authentication server logs to QRadar, see the vendor documentation for your authorized server.

  2. Open the following file:

    /opt/QRadar/conf/genericAuthServer.conf

    Make sure you copy this file to systems that host the Event Collector and the QRadar Console.

  3. Restart the Tomcat server:

    service tomcat restart

    A message is displayed indicating that the Tomcat server is restarted.

  4. Enable or disable regular expressions in your patterns by setting the regex_enabled property. By default, regular expressions are disabled.
    For example:

    regex_enabled=false

    When you set the regex_enabled property to false, the system generates regular expressions (regex) based on the tags you entered when you try to retrieve the corresponding data values from the logs.

    When you set the regex_enabled property to true, you can define custom regex to control patterns. These regex configurations are applied directly to the logs and the first captured group is returned. When you define custom regex patterns, you must adhere to regex rules, as defined by the Java™ programming language. For more information, see http://download.oracle.com/javase/tutorial/essential/regex/.

    To integrate the generic authorization server with QRadar, make sure that you specify the classes directly instead of using the predefined classes. For example, the digit class (/\d/) becomes /[0-9]/. Rewrite the expression to use the primitive qualifiers (/?/,/*/ and /+/) rather than using numeric qualifiers.

  5. Add the following lines to the genericAuthServer.conf file:
    login_success_pattern=<login success pattern>
    login_failed_pattern=<login failure pattern>
    logout_pattern=<logout pattern>
    source_ip_pattern=<source IP pattern>
    source_port_pattern=<source port pattern>
    user_name_pattern=<for pattern>

    The following table provides examples of values that you can use for each pattern.

    Pattern Value Example
    login_success=<login success pattern> Accepted password

    The following log message shows login_success_pattern=Accepted password:

    Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from <IP_address> port 1727 ssh2

    login_failed_pattern=<login failure pattern> Failed password

    The following log message shows login_failed_pattern=Failed password:

    Jun 27 12:58:33 expo sshd[20627]: Failed password for root from <IP_address> port 1849 ssh2
    logout_pattern=<logout pattern> session closed

    The following log message shows logout_pattern=session closed:

    Jun 27 13:00:01 expo su(<Username>)[22723]: session closed for user genuser
    source_ip_pattern=<source IP pattern> from

    The following log message shows source_ip_pattern=from:

    Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from <IP_address> port 1727 ssh2
    source_port_pattern=<source port pattern> port

    The following log message shows source_port_pattern=port:

    Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from <IP_address> port 1727 ssh2
    user_name_pattern=<for pattern> for

    The following log message shows user_name_pattern=for:

    Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from <IP_address> port 1727 ssh2
    Tip: All entries are case-insensitive.

What to do next

You are now ready to configure the log source in QRadar.