QRadar: How to create a passwordless SSH log in for log file protocol

1. Use SSH to log in to the QRadar console as root user.
2. If the events are coming into an Event Collector, SSH to the appliance receiving the events.
3. Create a directory to save your keys. For example,

   mkdir -p /opt/qradar/conf/keys

4. Run the command ssh-keygen

    ssh-keygen
   Generating public/private rsa key pair.
   Enter file in which to save the key (/root/.ssh/id_rsa):

5. Enter the directory and file, where keys are saved. For this example, the file is mykey

   /opt/qradar/conf/keys/mykey

6. Enter a passphrase > press enter.
   Note: Leave empty when you do not want to use a passphrase.
7. Enter the same passphrase > press enter again.

When installing your SSH public key, it is best practices to install it for a non-root or Sudo user.

• Installing the SSH public key by using ssh-copy-id

  Note: If the ssh-copy-id is not installed on your appliance or fails to install the SSH public key, use the manual installation method to install the key.

  1. Type the command ssh-copy-id -i <path to public key/public_key> user@<Log Source IP address>

     ssh-copy-id -i /opt/qradar/conf/keys/mykey.pub  qradar@192.168.1.90
     /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/opt/qradar/conf/keys/mykey.pub"
     /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
     /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
     qradar@192.168.1.90's password:
     Permission denied, please try again.
     qradar@192.168.1.90's password:
     ssh

  2. Enter the password for the Log Source user.
      

  Results
  The SSH public key is added to the log source with the directory created and all user permissions set correctly.
   

  Number of key(s) added: 1
  
  Now try logging into the machine, with:   "ssh 'qradar@192.168.1.90'"
  and check to make sure that only the key(s) you wanted were added.
  

  
  
   
• Manually installing the SSH public key
  Note: If there is a user with a .ssh directory in the users home directory, skip to step 6.

  1. Use the command pwd to confirm you are in the user home directory

     $ pwd
     /home/user
     

  2. Verify that .ssh exists.

     ls -lad ./.ssh
     ls: cannot access '/home/user/.ssh': No such file or directory
     

  3. Create the .ssh directory if required.

     mkdir .ssh

  4. Apply the proper settings to the .ssh directory.

     chmod 755 .ssh

  5. Change the owner to the logged in user.

     chown user:user .ssh

  6. Create the authorization file.

     touch authorized_keys

  7. Set the permissions on the file to 600.

     chmod 600 authorized_keys

  8. Change the owner of the file to the logged in user.

     chown user:user authorized_keys

  9. Use SCP to copy the public key file from the QRadar Event Collector under the directory /opt/qradar/conf/keys to the Log Source Device user’s /home/user/.ssh/
  10.  Add the public ssh key file to the authorized_keys file.

      cat mykey.pub >> authorized_keys

ssh -i /opt/qradar/conf/keys/mykey qradar@192.168.1.90
Last login: Tue May 11 14:36:43 2021 from 192.168.1.95
[qradar@Testserver ~]$

If you see a message similar to:

No ECDSA host key is known for 192.168.1.42 and you have requested strict checking.

Run the command:

ssh-keyscan -t ecdsa <IP_address_Log_Source> >> ~/.ssh/known_hosts