IBM Support

QRadar: Using tcpdump and Wireshark to troubleshoot and analyze IBM Security QRadar SIEM

Question & Answer


Question

How do you use tcpdump to troubleshoot and Wireshark to analyze the IBM Security QRadar SIEM?

Answer

Administrators can troubleshoot IBM QRadar SIEM collecting IP traffic to Qradar that uses the tcpdump utility and analyzing this IP traffic with Wireshark. Tcpdump can define the interface, port, source IP addresses, destination IP addresses of the network traffic. Tcpdump can also write the packet data on-screen to help users determine whether the QRadar SIEM is receiving events. However, it is often more beneficial to write this same packet-data to a .pcap file, which can be shared with Qradar support or post analyzed by using Wireshark. The following videos demonstrate tcpdump options for advanced troubleshooting steps and Wireshark for post analysis steps.

tcpdump      https://www.youtube.com/watch?v=hWc-ddF5g1I&ab_channel=DavidMahler

And

Wireshark    https://www.youtube.com/watch?v=68t07-KOH9Y&ab_channel=ChrisGreer


An example of troubleshooting Syslogs events

Before you can troubleshoot Syslog events that are being sent to a IBM QRadar SIEM, you need to review the event source sending Syslog events and verify the IP address. The Syslog destination configured on your device is where you need to troubleshoot. The tcpcump command must be run on the appliance receiving the events from your device.

Note: By default, QRadar appliances are always configured to listen for Syslog events on TCP and UDP port 514. There is no need to touch the firewall on your QRadar appliance.

The following commands allow administrators to review IP traffic including the full Syslog payload for events coming from a remote Syslog source.

  1. Using SSH, log in to your QRadar Console as root.
  2. Optional. If the Syslog destination is another appliance, such as an Event Collector appliance, SSH to the event collector.
  3. Type one of the following commands:
  • For TCP Syslog, type: 
tcpdump -s 0 -A host Device_Address and port 514
  • For UDP Syslog, type: 
tcpdump -s 0 -A host Device_Address and udp port 514
Note: Device_Address must be an IPv4 address or a hostname.
For example, 
tcpdump -s 0 -A host x.x.x.x and port 514
Note: If Device_Address is an IPv6 address, then “host” is preceded by “ipv6”.
For example, 
tcpdump -s 0 -A ipv6 host x:x:x:x:x:x:x:x and port 514

If you do not see any IP traffic in the command line, it is likely that either the device is not sending Syslog events or a firewall is blocking communication.
 

  1. Verify with your firewall administrator or operations group that no firewalls are blocking communication between the QRadar appliance and the device sending Syslog events.
  2. Typically, an easy method to verify whether a TCP port is open is to telnet from QRadar to the device. From the QRadar command line, type telnet Device_IPAddress 514. (Remember, it is telnet ipv6 Device_IPAddress 514 for an IPv6 Address)
  3. Review the Syslog configuration of your remote device to ensure that it is configured to send events to the appropriate QRadar appliance.
  4. If the remote appliance is Linux UNIX-based, administrators can verify the event source is sending data to the QRadar appliance with the following command: tcpdump dst QRadar_Appliance_IPAddress (Again, if remote address is IPv6 then “dst” is preceded by “ipv6”)

If you do see IP traffic in the command line, then you can save this traffic for post analysis. It can be done by directing the tcpdump commands to a ”.Pcap” file by using the “-w” switch followed by the ”.Pcap” file name.

For example, 

tcpdump -s 0 -A host x.x.x.x and port 514 -w syslog-traffic.pcap

Note: Once the traffic is being redirected to a "Pcap" file, you no longer see any IP traffic in the ssh shell.

The tcpdump collection must be allowed to continue for a period, which is sufficient to ensure that a sample of IP traffic is collected (it varies with log source type and protocol used).

To finish the collection of IP traffic and close the “.Pcap” file, simply type “Control C” in the ssh console.

The saved ”.Pcap” file can now be post analyzed by using Wireshark by simply clicking the ”.Pcap”. It opens the file and is presented in a format such as

image-20221214123853-1

 

Here you notice a number of points

  1. In the main window, “Source” represents the IP or fully qualified domain name (FQDN) of the log source that is emitting the events.
  2. “Destination” represents the IP or fully qualified domain name (FQDN) of the Event Collector that is receiving the events.
  3. “Protocol”, while listed as “Syslog”, it is based purely on the fact that it’s using the Syslog port number (514). There is no validation of the IP payloads to ensure that the traffic is in fact valid Syslog traffic.

Next, the IP “Conversations” contained within the "Pcap" file need to be analyzed. It can be done by selecting “Statistics” and then “Conversations”, an example of which is

image-20221214123853-2

It produces a new open window showing all IP traffic arranged into a list of IP connections (“Conversations”) between the Qradar event collector and the log source.

An example of which is

image-20221214123853-3

The next step is aato select one of the conversations listed (by using your mouse) and then click “Follow Stream”

image-20221214123854-4

It opens a new window showing the payload of this “Conversation”

image-20221214123854-5

Inside this window, you see the syslog payload that must be compliant with rfc-3164 or rfc-5424 or indeed as specified by a sample event in the Qradar DSM guide. If the format of this event doesn’t satisfy these conditions, Qradar cannot recognize it, and it discards the event.

The collected ”Pcap” is to be uploaded to Qradar support for review and verification

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Operating System","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
04 January 2023

UID

swg21997599