IBM Support

Important: QRadar VMware vCloud Director log sources no longer support the 'Enable Legacy vCloud SDK' option

News


Abstract

After 15 April 2023, VMware vCloud Director log sources with the 'Enable Legacy vCloud SDK' option will no longer be supported for the VMware vCloud Director log sources. Any existing log source configuration that use legacy SDK option can no longer to collect events. Log sources that do not use the Legacy VCloud SDK are not affected.

Content

Am I affected?

Administrators must review their existing VMware vCloud Director log sources to confirm whether the Enable Legacy vCloud SDK option is enabled. This issue affects QRadar SIEM and QRadar on Cloud administrators with VMware vCloud Directory log sources.

Procedure
  1. Log in to the QRadar Console as an administrator.
  2. Click Admin > Log Sources.
  3. In the Protocol Type list, select VMware vCloud Director.
    image-20230315171852-1
  4. In the Log Sources list, select the VMware vCloud Director log source.
  5. Click View and select the Protocols tab.
    image-20230315172541-2
  6. If Enable Legacy vCloud SDK is enabled (Yes), you are affected by this issue.

    Results
    After a QRadar auto update on 15 April 2023, events stop collecting until VMware vCloud Director log sources are updated to disable use of the Legacy vCloud SDK. To avoid an interruption in events, administrators can update their log sources at any time before 15 April 2023, save the log source and deploy the changes.

Updating your log sources to disable legacy SDK configurations


To complete this procedure, you must know the version of vCloud Director used in your organization as the API version is required to update your log source. For more information, see https://docs.vmware.com/en/VMware-Cloud-Director/index.html.
Procedure
  1. Log in to the QRadar Console as an administrator.
  2. Click Admin > Log Sources.
  3. In the Log Sources list, select the VMware vCloud Director log source.
  4. Click Edit.
  5. Configure the following parameters:
    Parameter Action
    Enable Legacy vCloud SDK
    Disable this option in the log source configuration.
    VCloud API Version
    Type the API version required to connect to the vCloud Director REST API.

    For a list of API versions, see https://docs.vmware.com/en/VMware-Cloud-Director/index.html#apis-and-sdks-2.
    Allow Untrusted Certificates
    Select one of the following options:
    • On - If you use a self-signed certificate or you used a previously untrusted certificate.
    • Off - If you use a trusted certificate.
       
    Note: The certificate must be downloaded in PEM or DER encoded binary format and then placed in the /opt/qradar/conf/trusted_certificates/ directory with a .cert or .crt file extension.
  6. Click Save.
  7. Click the Test tab.
    image-20230315175702-3
  8. Click Start Test.

    Results
    Review the output of the test tool to determine if the log source update succeeds.
  • If the test succeeds, the configuration change is complete and events are displayed by the test tool. If you have multiple vCloud Director log sources, you must repeat this procedure for each log source with Enable Legacy vCloud SDK configured as Yes in the user interface. After all VMware vCloud Director log sources are updated, from the Admin tab, click Deploy Changes.
  • If you experience issues with log source updates, confirm the output of the test tool and ensure the certificates are on the correct appliance. Administrators can enable debug logs in the test tool and click Start Test to get more detailed error information. If you continue to experience issues, contact QRadar Support for assistance.
    image-20230315181417-2
    Tip: If you change a parameter in your log source, you are not required to click Save before you run the test tool. The Start Test runs based on the values currently configured in the user interface. If you experience an issue, you can adjust a value in your log source, then click Start Test to evaluate how changes impact your log source.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
12 April 2023

UID

ibm16963824

Page Feedback