IBM Support

QRadar: TLS Client configuration with Rsyslog for a Linux OS Log Source

Question & Answer


How do you configure a basic TLS client that uses the certificate generated by QRadar® in a Linux OS Log Source configuration?


This is a basic Linux configuration that uses the certificate generated by QRadar.

Configuring the TLS Log Source in QRadar

To create a TLS client, you must configure your TLS Log Source knowing the Target Event Collector to be used. The custom port that is allowed by your firewall to send TLS Syslog Events is also required. Use the procedure to configure the Log Source.
  1. Log in to the QRadar web user interface as the admin user.
  2. Click the Admin tab.
  3. Click the Log Sources Management app icon.
  4. Click New Log Source.
  5. Click Single Log Source.
  6. In the box under Log Source type, enter Linux > double-click Linux OS.
    image 8471
  7. Click the box to show undocumented Protocol types.
  8. Read the disclaimer "The use of undocumented protocols is not supported.", click close.
  9. Select TLS Syslog from the list.
    image 8472
  10. Click Step3: Configure Log Source Parameters.
  11. In the Name field, type a name for your Log Source.
  12. In the Description field, type a description for the Log Source.
  13. Select the Enabled check box to enable the log source. By default, the check box is selected.
  14. Optional Groups: click Add Group > check the box for your Log Source group.
  15. Optional Extension: Add an extension as a parsing override. A Log Source Extension can correct issues with parsing for an event from default DSM.
    image 8516
  16. If you are not using your default language, use the drop-down menu to select your language.
  17. From the drop-down menu, select the Target Event Collector of the appliance receiving and parsing the events.
  18. Select the Credibility of the log source. The range is 0 - 10. The Credibility indicates an event or offense's integrity as determined by the Credibility Rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.
  19. Select the Coalescing Events check box to enable the log source to coalesce (bundle) events. By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in QRadar.
  20. Select the Store Event Payload check box to enable the log source to store event payload information in addition to the normalized record. This is required for compliance auditing, or you are extracting custom properties from this log source.
    image 8513
  21. Click Step 4: Configure Protocol parameters
  22. Use the hostname or IP address of the log source in the Log Source Identifier field.
    Note: To find the Log Source Identifier of a Linux OS log source, since the payloads are encrypted, you can either type the command hostname on the Linux OS TLS Client to obtain the hostname of the TLS Client or use the IP address of the TLS Client. For more information on the Log Source Identifier, see the section Troubleshooting the Log Source Identifier.
  23. The default TLS Listen Port is 6514. A port that can connect through your network needs to be used.
  24. The Authentication Mode is the mode by which your TLS connection is authenticated. For this example, we select TLS.
    If you select the TLS and Client Authentication option, you must configure the certificate parameters.
    Note: The Client Certificate Path field is only displayed if TLS and Client Authentication Mode are selected. The Client Certificate Path is the absolute path to the client-certificate on disk. If TLS and Authentication Mode is selected, the certificate must be stored on the Target Event Collector that is selected for this log source.
  25. The Certificate Type field is the type of certificate to use for authentication. For our example, we select Generate Certificate.
  26. The Max Payload Length option allows administrators to set a maximum TCP payload length. The default value is 4096. QRadar suggests not increasing the value beyond 16,384.
  27. The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector. There is a limit of 1000 connections across all TLS Syslog log source configurations for each Event Collector. The default for each device connection is 50.
    Note: Automatically discovered log sources that share a listener with another log source count only once toward the limit. For example, the same port on the same event collector.
    image 8514
  28. From the drop-down menu, leave the default value TLS 1.2 and greater, unless your Log Source uses TLS 1.0 or 1.1.
  29. If you choose to add TLS log sources on the same port, click Use as Gateway Log Source. If the option is chosen, you can use a Log Source Identifier pattern. For this example, the Log Source Identifier Pattern is not used.
    image 8515
  30. Click Step 5: Test Protocol Parameters.
  31. Optional: Click Start Test
    Note: In the example, the certificate is not signed by a Certificate Authority (CA). Since we are using the QRadar generated certificate, a warning is generated. The result is displayed in the example.
    image 8484
  32. Complete the Log Source creation.
    1. If you skip the test, click Skip Test and Finish.
    2. If you run the test, click Finish.
  33. Log in to the QRadar Console as an Admin User.
    Important: Deploy Full Configuration results in services being restarted. While services are restarting, event processing stops until services restart. Scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization. The Firewall is opened for the TLS port you use on the Target Event Collector.
  34. From the top menu bar, click Advanced > Deploy Full Configuration.
  35. The certificates and keys are located in these locations:
    • For QRadar 7.5.0 Update 4 and prior, the certificate key pair is generated in /opt/qradar/conf/trusted_certificates on the Target Event Collector and is named syslog-tls.cert and syslog-tls.key.
      Note: You might see a warning in /var/log/qradar.log and /var/log/qradar.error stating "Can't load certificates from file [/opt/qradar/conf/trusted_certificates/syslog-tls.key]". This error can be safely ignored.
    • For QRadar 7.5.0 Update 5 and later the the certificate key pair is generated on Target Event Collector. The certificate is in /opt/qradar/conf/trusted_certificate and is named syslog-tls.cert, while the key is in /opt/qradar/conf/keys and is named syslog-tls.key. 

Installing the certificates on the Log Source and testing within QRadar

Before you begin
The certificate generated in /opt/qradar/conf/trusted_certificates needs to be moved from where it was generated to the TLS Syslog log source that is sending the events.
  1. Use SSH to log in to the Console as root user.
  2. If the certificate was generated on an Event Collector SSH to that Collector from the Console.
  3. Use an SCP client such as WinSCP, confirm that the certificate is on a target Event Collector and not the console. You need to move the certificate to the Console to transfer it.  Move the certificate by using SCP to the TLS Syslog Log Source.
  4. Once your Log Source is configured with TLS Syslog, you can verify whether the Log source works.
    1. From the Admin tab, click the log Source Management app,
    2. Click the TLS log source created.
    3. Verify that the TLS log source has a Status of OK.
      Note: Depending on your appliance's time to restart services, there can be a delay before the status gets updates as Success.

      image 8517
  5. When generating a certificate from QRadar, the syslog-tls.cert file is on the Target Event Collector receiving the events in /opt/qradar/conf/trusted_certificates.
    1. Log in to the Console by using an SSH session as root user.
    2. If the Console is not the Target Event Collector, SSH sends the TLS Syslog events to the Collector.
    3. Change directories to /opt/qradar/conf/trusted_certificates
      # cd /opt/qradar/conf/trusted_certificates/
    4. Use SCP to move this certificate to the TLS Log Sources.
      scp /opt/qradar/conf/trusted_certificates/syslog-tls.cert root@IP_OF_Client:/Certificates_directory
  6. Each additional TLS Syslog Log Source added on the same port is identified as a Syslog log source.
    image 8474
  7. To verify that the TLS Log Sources listening run the command:
    Run the command:
    netstat -np | grep -i ESTABLISHED | grep <TLS Syslog port> | cat -n
    image 8520
    Note: In the example, there are two TLS Syslogs Log Sources listening.

Configuring Linux TLS Syslog

Configuring a Linux log Source for use with TLS requires a TLS Syslog library. This is not installed by default on most Linux distributions. The most common public TLS Syslog library is gnuTLS, which is available for most distributions. There are other TLS Syslog libraries available. Refer to this link for a list of alternatives.

Comparison of TLS implementations

You next need to configure Rsyslog. Since there are multiple ways to configure TLS Syslog, refer to the link
Rsyslog V8 Encrypting Syslog Traffic with TLS
With Rsyslog, you need to use TCP to have payloads encrypted. In Rsyslog implementations, the string would look something like this.
authpriv.* @@IP address of Target Event Collector:Port

Where @@ indicates that TCP is used, if you use @, you are using UDP, which is not encrypted.

Configure all additional Linux TLS Syslog connections in the same manner.


Troubleshooting the Log Source Identifier

Troubleshooting Steps: If the Log Source does not have the Status of Success, the Log Source Identifier might be wrong.
  1. Make sure QRadar has the port open on the Appliance that is receiving the events
    iptables -L -n | grep TLS_Port.
    [root@QRadar73 ~]# iptables -L -n | grep 6514
    ACCEPT tcp -- state NEW tcp dpt:6514
  2. Repeat step 1 the same on each client sending to QRadar
  3. Check the Appliance receiving TLS Syslog events to verify that the port is listening.
    [root@QRadar73~]# netstat -nlp | grep 6514
    tcp6 0 0 :::6514 :::* LISTEN 11708/java
  4. If the hostname does not work, use the IP address.
  5. You can also remove one of the @ symbols in front of the IP address. This sends non-encrypted payloads to the Target Event Collector. Restart the rsyslog service.

    Example: authpriv.* @IP_address:6514
    The command to restart the service in RHEL 6.x is service rsyslog restart
    The command to restart the service in RHEL 7.x versions and later is systemctl restart rsyslog.service
  6. Save the changes.
  7. Create events on the Linux Log Source.
  8. Then, use the command on the Appliance receiving the events.
tcpdump -nnAs0 -i network interface port 6514

The result should look similar to the following example. Log Source Identifier is Test2


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.2;7.4.3;7.5.0"}]

Document Information

Modified date:
24 March 2023