IBM Support

QRadar: Configuring a Log Source to Use SSH keys

Question & Answer


Question

How can an IBM Security QRadar SIEM log source be configured to use SSH keys for authentication?

Cause

When configuring a log source in QRadar, administrators can configure the log source to use an SSH authorized key. If the remote system is not configure properly, the following error might be generated in /var/log/qradar.error as the authorized_key file does not exist.


ERROR - Event Collection Status: Problem gathering/parsing events
ERROR - File Transfer Status: Could not transfer file(s)
ERROR - Authentication Status: Auth Failed: ssh connection failed to
root@IP Address :22 with exception: java.io.FileNotFoundException: /root/.ssh/keysgss (No such directory)
ERROR - Event Collection Status: Problem gathering/parsing events
ERROR - File Transfer Status: Could not transfer file(s)
ERROR - Authentication Status: Auth Failed: ssh connection failed to root@IP Address:22

Answer

To resolve this issue, the administrator can create SSH keys on the QRadar appliance and copy them to the remote server containing the event data.

Procedure

This procedure outlines how to create and copy SSH keys for systems that QRadar interacts with over SSH. An example of where this procedure might be required is for log sources or vulnerability scan data that QRadar retrieves using SSH. The process outlines how to create and configure SSH authorized keys.

  1. Generate a SSH2 key pair on QRadar to create a public and private SSH key:

    ssh-keygen -t dsa

  2. Optional. Copy the public (.pub) key over to QRadar managed host that is managing the log source.
    Note: For All-in-One appliances, this step is not required. For QRadar deployments with multiple appliances, the public key must reside on the managed host making the SSH connection.

    scp <file>.pub user@<IP>:/filelocation

  3. On the remote server containing the event data, create a .ssh directory for your account. This step is only required if the .ssh directory does not exist.

    mkdir -p ~/.ssh
    touch ~/.ssh/authorized_keys
    chmod 600 ~/.ssh/authorized_keys

  4. Copy the .pub file into the authorized_keys directory on the remote server.

    cat ~/<filename>.pub >> ~/.ssh/authorized_keys

  5. On the QRadar appliance, configure the log source with the path to the private key file generated in step 1.

    NOTE: the private key is a different file from the .pub key that was copied.


Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.0;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21654663