Configuring event properties for authorization events
You must manually configure IBM QRadar to interpret the incoming generic authorization events:
Procedure
-
Forward all authentication server logs to your QRadar system.
For information about forwarding authentication server logs to QRadar, see the vendor documentation for your authorized server.
-
Open the following file:
/opt/QRadar/conf/genericAuthServer.conf
Make sure you copy this file to systems that host the Event Collector and the QRadar Console.
-
Restart the Tomcat server:
service tomcat restart
A message is displayed indicating that the Tomcat server is restarted.
-
Enable or disable regular expressions in your patterns by setting the
regex_enabled property. By default, regular expressions are disabled.
For example:
regex_enabled=falseWhen you set the regex_enabled property to false, the system generates regular expressions (regex) based on the tags you entered when you try to retrieve the corresponding data values from the logs.
When you set the regex_enabled property to true, you can define custom regex to control patterns. These regex configurations are applied directly to the logs and the first captured group is returned. When you define custom regex patterns, you must adhere to regex rules, as defined by the Java™ programming language. For more information, see http://download.oracle.com/javase/tutorial/essential/regex/.
To integrate the generic authorization server with QRadar, make sure that you specify the classes directly instead of using the predefined classes. For example, the digit class
(/\d/)becomes/[0-9]/. Rewrite the expression to use the primitive qualifiers(/?/,/*/ and /+/)rather than using numeric qualifiers. - Add the following lines to the genericAuthServer.conf file:
login_success_pattern=<login success pattern> login_failed_pattern=<login failure pattern> logout_pattern=<logout pattern> source_ip_pattern=<source IP pattern> source_port_pattern=<source port pattern> user_name_pattern=<for pattern>The following table provides examples of values that you can use for each pattern.
Pattern Value Example login_success=<login success pattern>Accepted password The following log message shows
login_success_pattern=Accepted password:Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from <IP_address> port 1727 ssh2login_failed_pattern=<login failure pattern>Failed password The following log message shows
login_failed_pattern=Failed password:Jun 27 12:58:33 expo sshd[20627]: Failed password for root from <IP_address> port 1849 ssh2logout_pattern=<logout pattern>session closed The following log message shows
logout_pattern=session closed:Jun 27 13:00:01 expo su(<Username>)[22723]: session closed for user genusersource_ip_pattern=<source IP pattern>from The following log message shows
source_ip_pattern=from:Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from <IP_address> port 1727 ssh2source_port_pattern=<source port pattern>port The following log message shows
source_port_pattern=port:Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from <IP_address> port 1727 ssh2user_name_pattern=<for pattern>for The following log message shows
user_name_pattern=for:Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from <IP_address> port 1727 ssh2Tip: All entries are case-insensitive.