IBM Support

QRadar: How to integrate Cloudflare by using HTTP Receiver protocol

How To


Summary

This article provides steps for preparation to integrate QRadar® with Cloudflare® service through HTTP Receiver protocol.

Objective

QRadar administrators are able to integrate QRadar with Cloudflare service through HTTP Receiver protocol.
Before you begin
  • This article is applicable only to QRadar SIEM (on-premises) or QRadar on Cloud (Data Gateway appliance).

Environment

Integration Cloudflare with QRadar can be explained by using the four steps in the example. Use the number steps to follow the Cloudflare process:
  1. Registration
  2. Verification
  3. Response
  4. Completion
Cloudflare-QRadar-Integration
Figure 1 The integration process for Cloudflare events includes four steps starting with registration, step 1 and ending with completion step 4. 
  1. Registration: register a LogPush from administrator's workstation by running a curl command with necessary parameters as described at Configure Cloudflare to send events to IBM QRadar when you use the HTTP Receiver protocol. (QRadar Console or managed host can be used instead).
    The most important registration parameter is "destination_conf": "<QRadar_URL:LogSource_Port>"
  2. Verification: Cloudflare checks the accessibility of the IP address, port, and validates the certificate of the HTTP Receive log source.  
  3. Response:  
    • Context deadline exceeded

      If the endpoint is not accessible, the following error is returned:

      {"errors":[{"code":1002,"message":"error validating destination: error writing object: Post \"https://a.b.c.d:12469\": context deadline exceeded"}],"messages":[],"result":null,"success":false}
    • Cannot validate certificate

      If the endpoint is accessible, Cloudflare then checks the certificate of the HTTP Receiver log source. If the default TLS Syslog certificate is used, the following error is returned:

      {"errors":[{"code":1002,"message":"error validating destination: error writing object: Post \"https://a.b.c.d:12469\": x509: cannot validate certificate for a.b.c.d because it doesn't contain any IP SANs"}],"messages":[],"result":null,"success":false}
    • Certificate signed by an unknown authority

      Even if the administrator has a self-signed certificate with proper public IP address in "Subject Alternative Name" session, Cloudflare still complains that the certificate must be commercially signed:

      {"errors":[{"code":1002,"message":"error validating destination: error writing object: Post \"https://a.b.c.d:12469\": x509: certificate signed by unknown authority"}],"messages":[],"result":null,"success":false}

      However, many CA providers do not support public IP address in the CN. Therefore, the recommended way is to have an FQDN in the CN. Any included IP address must be put in the SAN session.

  4. Completion: If all parameters are valid, a LogPush is created, and starts to send events to HTTP Receiver log source

Steps

The following steps are recommended to ensure successful integration QRadar with Cloudflare:
 
  1. Configure a DNS record that points to the public IP address used to receive events from Cloudflare in the company public DNS server. Note the FQDN.
  2. Create a private key and Certificate Signing Request (CSR) with the FQDN in CN as described at article Creating SSL certificate signing request. If a public IP address need to be included, administrator needs to create a multi-domain (SAN) CSR as described at Creating a multi-domain (SAN) SSL certificate signing request.
  3. Provide CSR to CA provider and get a signed certificate.
  4. Prepare a certificate bundle. 
    cat <signed_cert_filename> [<intermediate_CA_filename>] <rootCA_filename> > cert-chain.pem
  5. Prepare a PKCS12 bundle. Run the following command and provide a protection password as prompted. Specify an alias in the "name" option (Example: some_alias).  
    openssl pkcs12 -export -in cert-chain.pem -inkey <your_private>.key -name 'some_alias' -out <your_cert_file_name>.p12
  6. Copy the .p12 file to a folder (Example: /opt/qradar/conf/trusted_certificates).
  7. Create an HTTP Receiver protocol log source. Choose "PKCS12 Certificate Chain and Password". Specify the certificate path (in step 6), the password, and the alias (Step 5).

    Select certificate type
  8. Configure the firewall to open HTTP Receiver port to be accessible from Cloudflare.
  9. Register a LogPush with Cloudflare as described at Configure Cloudflare to send events to IBM QRadar when you use the HTTP Receiver protocol.
The results
 If the registration succeeded, the administrator is able to see events coming in to QRadar.

Additional Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
11 October 2023

UID

ibm16831663

Page Feedback