IBM Support

QRadar: How to send events from WinCollect to DLC over TLS

How To


Summary

An example of how to set up an encrypted connection between WinCollect and a DLC over TLS.

Objective

Warning: This method is not an officially supported method currently, as it is not officially tested by IBM's Product Engineering teams. This article shows an example of how it might work. 

Steps

Before you start, examine these three files on the DLC to get an idea how to make the edits.
Readme file: /opt/ibm/si/services/dlc/conf/template/TLSSyslog.readme
Template: /opt/ibm/si/services/dlc/conf/template/TLSSyslog.json
File to amend: /opt/ibm/si/services/dlc/conf/logSources.json
Add a firewall rule on the DLC
Source: https://www.ibm.com/docs/en/qsip/7.4?topic=collector-opening-required-ports-in-linux-firewall
The method is the same as when you are installing the DLC. Change the port number to suit your needs. The port needs to match the port number in logSoures.json, see previous paragraph.
firewall-cmd --zone=public --add-port=6514/tcp --permanent
Reload the ruleset:
firewall-cmd --reload
List all rules:
firewall-cmd --list-all
Example output:
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: dhcpv6-client ssh
  ports: 514/udp 514/tcp 6514/tcp
  protocols:
  masquerade: no
  forward-ports: port=514:proto=tcp:toport=1514:toaddr=
        port=514:proto=udp:toport=1514:toaddr=
  source-ports:
  icmp-blocks:
  rich rules:

Example configurations for TLS in logSources.json.

Note, when not using a PCKS12 truststore, the certificate can be either Base64 PEM or PKSC8 DER format and the Private Key must be in PK8 DER (nocrypt) format.
  • WinCollect and a PEM certificate
    {
            "LogSources":[
            {
            "DatabaseId": 22,
            "protocolName": "TLSSyslog",
            "name": "TLSSyslog_Example",
            "disable": false,
            "hostName": "WINDOWSHOST-x",
            "parameters": {
                    "tlsListenPort": 6514,
                    "privateKey": "/opt/ibm/si/services/dlc/trusted_certificates/WC-server_key_pem.der",
                    "tlsProtocols": "TLSv1.2",
                    "certType": "Provide Certificate",
                    "maxPayloadSize": 4096,
                    "serverCert": "/opt/ibm/si/services/dlc/trusted_certificates/WC-server.pem",
                    "socketIdleTimeout": 900,
                    "authType": "",
                    "clientCertificateAlias": "",
                    "maxConnections": 50,
                    "gatewayLogSource": false,
                    "logSourceIdentifierPattern": ""
                            }
               }
                          ]
    }
  • WinCollect and a P12 truststore
    {
      "LogSources": [
        {
          "DatabaseId": 1,
          "ImportedId": 3050458,
          "protocolName": "TLSSyslog",
          "name": "hostname-WinCollect-TLS-DLC",
          "disable": false,
          "hostName": "hostname01.somecompany.com",
          "parameters": {
            "pkcs12ServerPassword": "AQAAAAAAAAABnU3ceEVacUqjeRlG6rDkNzj9Yeo=",
            "pkcs12ServerAlias": "ibm-qroc-datagateway.somecompany.com",
            "certificateStoreServerAlias": "",
            "maxPayloadSize": "4096",
            "maxConnections": "50",
            "tlsProtocols": "TLSv1.2",
            "gatewayLogSource": "true",
            "logSourceIdentifierPattern": "",
            "enableMultiline": "false",
            "aggregationMethod": "Start/End Matching",
            "flattenMultiLines": "false",
            "startRegex": "",
            "endRegex": "",
            "messageIdRegex": "",
            "mapTimeLimit": "10",
            "retainEntireLines": "true",
            "eventFormatter": "None",
            "tlsListenPort": "6514",
            "authType": "TLS",
            "clientCertAuth": "CN Allowlist And Issuer Verification",
            "clientCertificateAlias": "",
            "useCNAllowlist": "true",
            "cnAllowlist": "",
            "useIssuerPk": "false",
            "issuerPk": "",
            "checkRevocation": "false",
            "checkUsage": "false",
            "certType": "PKCS12 Certificate",
            "serverCert": "",
            "privateKey": "",
            "pkcs12ServerCert": "/opt/ibm/si/services/dlc/trusted_certificates/ibm-qroc-datagateway.somecompany.com.p12",
            "socketIdleTimeout": "900"
          }
        },
Certificates
In this example, we use a customized, internally signed certificate.
  1. You can use the same method as described in QRadar®: How to create a sAN certificate for a TLS Syslog integration.
  2. Take note of the directory where your server certificate and private key reside.
  3. Use the paths and file names of where your server certificate and private key reside, in the configuration file /opt/ibm/si/services/dlc/conf/logSources.json.
  4. Restart the dlc service:
    systemctl restart dlc
  5. On the DLC, test that the certificate is presented:
    openssl s_client localhost:6514 < /dev/null
    For checking the same from a Windows host, you can use 3rd party tools like Cygwin or Zenmap.
  6. If the certificate is presented correctly, you can use the Root CA certificate in the WinCollect Destination. This method is recommended since, for example, on QRoC, the server certificate (on the Console) expires every 90 days. If you use the server cert in WinCollect, you would need to manually intervene on every WinCollect Destination config.
  7. Copy and paste it in Base64 PEM format to the WinCollect Destination, which you directed to the DLC. If the agent is a Stand-alone installation, use the Configuration Console. If the agent is a Managed install, use Admin> WinCollect> Destinations.
For more information on how to create a WinCollect Destination that uses a TLS certificate, see: QRadar - How to setup WinCollect to send events over TLS (example).

Troubleshooting tips

  • If the certificate information is not displayed with the openssl s_client-command, you can check whether the port for TLS syslog is open (6514 by default):
    ss -tulpan | grep -w 6514
  • On the WinCollect host, you can add Debug logging for Code category if you need to troubleshoot: QRadar®: How to enable Debug logging for WinCollect
  • If you need to troubleshoot on the DLC side, examine /var/log/dlc/dlc.error for anything TLS-related.
  • The common errors that you might see are SSL handshake-related, which usually means that there is a problem with either the certificate or key. Examine your certificate and make sure the private key is in PK8 DER format. You can "cat" the key file, if it's readable characters, it's a Base64 PEM.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt9AAA","label":"DLC"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
10 May 2022

UID

ibm16551380