Question & Answer
Question
How do I send CADF events from my OpenStack implementation to QRadar?
Cause
Answer
Openstack is an Open Source clouding platform for cloud computing usually deployed as an infrastructure as a service (IAAS) to control pools of computing, storage, and network resources.
OpenStack can send CADF events to QRadar using the Ceilometer audit collector component.
Ceilometer is a collector designed to collect measurements within OpenStack for the purpose of monitoring and metering data in OpenStack.
As of the Kilo version of OpenStack, the component can monitor and send events from various OpenStack services.
These are:
- Keystone, an OpenStack project that provides Identity, Token, Catalog, and Policy services for use specifically by projects in the OpenStack family.
- Neutron, an OpenStack project to provide networking as a service between interface devices such as vNICs managed by other Openstack services. For example, nova.
- Swift, a highly available, distributed, eventually consistent object/blob store.
- Cinder, the open source project to develop OpenStack Block Storage, the block based storage component of the OpenStack platform for cloud computing.
- Glance, a project which provides a service where users can upload and discover data assets that are meant to be used with other services.
- Trove, a Database as a Service for OpenStack.
Make sure you are on version Kilo and above on the Ceilometer. Our guide for configuration of Ceilometer to QRadar is below:
Configuring OpenStack to communicate with QRadar
QRadar’s New Audit and Security Incident Event Monitoring for OpenStack
To send audit logs from other modules you would need to configure them to send to Ceilometer.
Where do you find more information?
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21971027