IBM Support

QRadar: Sending OpenStack component audit logs to QRadar

Question & Answer


How do I send CADF events from my OpenStack implementation to QRadar?



Openstack is an Open Source clouding platform for cloud computing usually deployed as an infrastructure as a service (IAAS) to control pools of computing, storage, and network resources.

OpenStack can send CADF events to QRadar using the Ceilometer audit collector component.
Ceilometer is a collector designed to collect measurements within OpenStack for the purpose of monitoring and metering data in OpenStack.

As of the Kilo version of OpenStack, the component can monitor and send events from various OpenStack services.

These are:

  • Keystone, an OpenStack project that provides Identity, Token, Catalog, and Policy services for use specifically by projects in the OpenStack family.
  • Neutron, an OpenStack project to provide networking as a service between interface devices such as vNICs managed by other Openstack services. For example, nova.
  • Swift, a highly available, distributed, eventually consistent object/blob store.
  • Cinder, the open source project to develop OpenStack Block Storage, the block based storage component of the OpenStack platform for cloud computing.
  • Glance, a project which provides a service where users can upload and discover data assets that are meant to be used with other services.
  • Trove, a Database as a Service for OpenStack.

Make sure you are on version Kilo and above on the Ceilometer. Our guide for configuration of Ceilometer to QRadar is below:
Configuring OpenStack to communicate with QRadar

QRadar’s New Audit and Security Incident Event Monitoring for OpenStack

To send audit logs from other modules you would need to configure them to send to Ceilometer.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.2;Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018