OpenStack

IBM® QRadar® DSM for OpenStack 從 OpenStack 裝置收集事件日誌。

下表識別 OpenStack DSM 的規格:

表 1. OpenStack DSM 規格
規格	值
製造商	OpenStack
DSM 名稱	OpenStack
RPM 檔名	DSM-OpenStackCeilometer-`QRadar_version-build_number`.noarch.rpm
支援的版本	V2015.1
通訊協定	HTTP 接收端
記錄的事件類型	審核事件
自動探索到?	否
包括身分?	否
包括自訂內容?	否
其他資訊	OpenStack 網站 (http://www.openstack.org/)

若要將事件從 OpenStack 傳送至 QRadar，請完成下列步驟:

如果未啟用自動更新項目，請從 IBM 支援中心網站下載下列 RPM 的最新版本並安裝至 QRadar Console:
- PROTOCOL-HTTPReceiver RPM
- OpenStack DSM RPM

在 QRadar 主控台上新增 OpenStack 日誌來源。下表說明收集 OpenStack 事件所需的參數:

表 2. OpenStack 日誌來源參數
參數	值
日誌來源類型	OpenStack
日誌來源 ID	OpenStack 伺服器的 IP 位址，而不是主機名稱。
通訊協定配置	HTTPReceiver
通訊類型	HTTP
接收埠	OpenStack 用來與 QRadar通訊的埠號。重要事項: 請勿使用埠 514。埠 514 由標準 Syslog 接聽器使用。
訊息型樣	`^\{"typeURI`

配置 OpenStack 裝置以與 QRadar通訊。

下表提供 OpenStack DSM 的範例事件訊息:

重要事項: 由於格式化問題，請將訊息格式貼到文字編輯器中，然後移除任何換行字元。

事件名稱低層次種類日誌訊息範例

列出所有伺服器的詳細資料

讀取活動已嘗試

表 3. OpenStack OpenStack 裝置支援的範例訊息
事件名稱	低層次種類	日誌訊息範例
列出所有伺服器的詳細資料	讀取活動已嘗試	{"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event", "eventTime": "2014-12-09T00:18:52.063878+0000", "target": {"typeURI": "service/compute/servers/detail", "id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "nova", "addresses": [{"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "admin"}, {"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "private"}, {"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "public"}]}, "observer": {"id": "target"}, "tags": ["correlation_id?value=openstack:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"], "eventType": "activity", "initiator": {"typeURI": "service/security/account/user", "name": "admin", "credential": {"token": "xxxx xxxxxxxx xxxx", "identity_status": "Confirmed"}, "host": {"agent": "python-novaclient", "address": "<IP_address>"}, "project_id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}, "action": "read/list", "outcome": "pending", "id": "openstack:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

 {"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event", "eventTime": "2014-12-09T00:18:52.063878+0000", "target": {"typeURI": "service/compute/servers/detail", "id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "nova", "addresses": [{"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "admin"}, {"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "private"}, {"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "public"}]}, "observer": {"id": "target"}, "tags": ["correlation_id?value=openstack:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"], "eventType": "activity", "initiator": {"typeURI": "service/security/account/user", "name": "admin", "credential": {"token": "xxxx xxxxxxxx xxxx", "identity_status": "Confirmed"}, "host": {"agent": "python-novaclient", "address": "<IP_address>"}, "project_id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}, "action": "read/list", "outcome": "pending", "id": "openstack:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",