OpenStack

IBM QRadar DSM for OpenStack 从 OpenStack 设备收集事件日志。

下表标识了 OpenStack DSM 的规范:

表 1. OpenStack DSM 规范
规范	值
制造商	OpenStack
DSM 名称	OpenStack
RPM 文件名	DSM-OpenStackCeilometer-`QRadar_version-build_number`.noarch.rpm
受支持的版本	V2015.1
协议	HTTP
记录的事件类型	审计事件
自动发现?	否
包含身份?	否
是否包含定制属性?	否
更多信息	OpenStack Web 站点 (http://www.openstack.org/)

要将事件从 OpenStack 发送到 QRadar，请完成以下步骤:

如果未启用自动更新，请从 IBM® 支持网站下载下列 RPM 的最新版本并安装到 QRadar Console 上：
- PROTOCOL-HTTP接收方 RPM
- OpenStack DSM RPM

在 QRadar 控制台上添加 OpenStack 日志源。下表描述了收集 OpenStack 事件所需的参数:

表 2. OpenStack 日志源参数
参数	值
日志源类型	OpenStack
日志源标识	OpenStack 服务器的 IP 地址，而不是主机名。
协议配置	HTTPReceiver
通信类型	HTTP
侦听端口	OpenStack 用于与 QRadar通信的端口号。重要信息: 请勿使用端口 514。端口 514 由标准 Syslog 侦听器使用。
消息模式	`^\{"typeURI`

配置 OpenStack 设备以与 QRadar进行通信。

下表提供了 OpenStack DSM 的样本事件消息:

重要信息: 由于格式化问题，请将消息格式粘贴到文本编辑器中，然后除去任何回车符或换行符。

事件名称低级类别样本日志消息

列出所有服务器的详细信息

已尝试读取活动

表 3. OpenStack 设备支持的 OpenStack 样本消息
事件名称	低级类别	样本日志消息
列出所有服务器的详细信息	已尝试读取活动	{"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event", "eventTime": "2014-12-09T00:18:52.063878+0000", "target": {"typeURI": "service/compute/servers/detail", "id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "nova", "addresses": [{"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "admin"}, {"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "private"}, {"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "public"}]}, "observer": {"id": "target"}, "tags": ["correlation_id?value=openstack:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"], "eventType": "activity", "initiator": {"typeURI": "service/security/account/user", "name": "admin", "credential": {"token": "xxxx xxxxxxxx xxxx", "identity_status": "Confirmed"}, "host": {"agent": "python-novaclient", "address": "<IP_address>"}, "project_id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}, "action": "read/list", "outcome": "pending", "id": "openstack:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

 {"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event", "eventTime": "2014-12-09T00:18:52.063878+0000", "target": {"typeURI": "service/compute/servers/detail", "id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "nova", "addresses": [{"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "admin"}, {"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "private"}, {"url": "http://<IP_address>:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "name": "public"}]}, "observer": {"id": "target"}, "tags": ["correlation_id?value=openstack:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"], "eventType": "activity", "initiator": {"typeURI": "service/security/account/user", "name": "admin", "credential": {"token": "xxxx xxxxxxxx xxxx", "identity_status": "Confirmed"}, "host": {"agent": "python-novaclient", "address": "<IP_address>"}, "project_id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "id": "openstack:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}, "action": "read/list", "outcome": "pending", "id": "openstack:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",