How To
Summary
This article provides steps for preparation to integrate QRadar® with Cloudflare® service through HTTP Receiver protocol.
Objective
- This article is applicable only to QRadar SIEM (on-premises) or QRadar on Cloud (Data Gateway appliance).
Environment
- Registration
- Verification
- Response
- Completion
- Registration: register a LogPush from administrator's workstation by running a curl command with necessary parameters as described at Configure Cloudflare to send events to IBM QRadar when you use the HTTP Receiver protocol. (QRadar Console or managed host can be used instead).
The most important registration parameter is "destination_conf": "<QRadar_URL:LogSource_Port>" - Verification: Cloudflare checks the accessibility of the IP address, port, and validates the certificate of the HTTP Receive log source.
- Response:
- Context deadline exceeded
If the endpoint is not accessible, the following error is returned:
{"errors":[{"code":1002,"message":"error validating destination: error writing object: Post \"https://a.b.c.d:12469\": context deadline exceeded"}],"messages":[],"result":null,"success":false}
- Cannot validate certificate
If the endpoint is accessible, Cloudflare then checks the certificate of the HTTP Receiver log source. If the default TLS Syslog certificate is used, the following error is returned:
{"errors":[{"code":1002,"message":"error validating destination: error writing object: Post \"https://a.b.c.d:12469\": x509: cannot validate certificate for a.b.c.d because it doesn't contain any IP SANs"}],"messages":[],"result":null,"success":false}
- Certificate signed by an unknown authority
Even if the administrator has a self-signed certificate with proper public IP address in "Subject Alternative Name" session, Cloudflare still complains that the certificate must be commercially signed:
{"errors":[{"code":1002,"message":"error validating destination: error writing object: Post \"https://a.b.c.d:12469\": x509: certificate signed by unknown authority"}],"messages":[],"result":null,"success":false}
However, many CA providers do not support public IP address in the CN. Therefore, the recommended way is to have an FQDN in the CN. Any included IP address must be put in the SAN session.
- Context deadline exceeded
- Completion: If all parameters are valid, a LogPush is created, and starts to send events to HTTP Receiver log source
Steps
- Configure a DNS record that points to the public IP address used to receive events from Cloudflare in the company public DNS server. Note the FQDN.
- Create a private key and Certificate Signing Request (CSR) with the FQDN in CN as described at article Creating SSL certificate signing request. If a public IP address need to be included, administrator needs to create a multi-domain (SAN) CSR as described at Creating a multi-domain (SAN) SSL certificate signing request.
- Provide CSR to CA provider and get a signed certificate.
- Prepare a certificate bundle.
cat <signed_cert_filename> [<intermediate_CA_filename>] <rootCA_filename> > cert-chain.pem
- Prepare a PKCS12 bundle. Run the following command and provide a protection password as prompted. Specify an alias in the "name" option (Example: some_alias).
openssl pkcs12 -export -in cert-chain.pem -inkey <your_private>.key -name 'some_alias' -out <your_cert_file_name>.p12
- Copy the .p12 file to a folder (Example: /opt/qradar/conf/trusted_certificates).
- Create an HTTP Receiver protocol log source. Choose "PKCS12 Certificate Chain and Password". Specify the certificate path (in step 6), the password, and the alias (Step 5).
- Configure the firewall to open HTTP Receiver port to be accessible from Cloudflare.
- Register a LogPush with Cloudflare as described at Configure Cloudflare to send events to IBM QRadar when you use the HTTP Receiver protocol.
If the registration succeeded, the administrator is able to see events coming in to QRadar.
Additional Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
11 October 2023
UID
ibm16831663