OSSEC and Q1Labs QRadar integration
639 views
Skip to first unread message
Vilius
Oct 23, 2012, 7:44:39 AM10/23/12
to ossec-list
Hey,
anyone has any experience in OSSEC and Q1Labs integration?
for example:
- does it integrate via syslog, or better via other method?
- does Q1Labs standard parsers and normalisers understand Windows
Event logs delivered via Ossec, or some tweeking is needed?
- is there any parsers written for OSSEC specific alarms/alerts?
Thanks for any experiences,
Vilius
anyone has any experience in OSSEC and Q1Labs integration?
for example:
- does it integrate via syslog, or better via other method?
- does Q1Labs standard parsers and normalisers understand Windows
Event logs delivered via Ossec, or some tweeking is needed?
- is there any parsers written for OSSEC specific alarms/alerts?
Thanks for any experiences,
Vilius
Alessandro Di Giuseppe
Oct 23, 2012, 12:51:40 PM10/23/12
to ossec...@googlegroups.com
Hi Vilius,
We've integrated OSSEC with our Q1Labs QRadar with limited success.
Basically, we use the native QRadar ALE Agent on Windows, and native syslog on Linux to forward events to the Qradar SIEM; as well as forwarding category 10+ alerts from our OSSEC server to Qradar - this is mainly to capture file integrity and other system changes not apparent through forwarding system events alone.
We've written a custom Log Source Extension for QRadar to parse the essential fields (hostname, Source/Destination IP, etc.) from OSSEC events, but for some reason we cannot extract all fields we'd expected. In some cases, we can do custom extractions on QRadar events to tease-out additional
details from OSSEC events, but this is sub-optimal because custom extractions are not indexed and therefore less search-friendly than natively parsed data fields.
In my experience, because of the way OSSEC normalizes the events, I think you would lose some details you would otherwise get from events sent from QRadar's ALE or WinCollect agent and having the built-in Qradar Windows DSM (parser) interpret the events.
In other words, it's probably best you use Q1s' agent to forward
events from Windows hosts to Qradar, and not use OSSEC as a middle-man.
Your mileage may vary...
P.S. I'd be glad to share our custome log extension for OSSEC if you would like to try it.
Alessandro
From: Vilius <vilius....@gmail.com>
To: ossec-list <ossec...@googlegroups.com>
Sent: Tuesday, October 23, 2012 7:44:39 AM
Subject: [ossec-list] OSSEC and Q1Labs QRadar integration
Vilius Benetis
Oct 25, 2012, 8:32:01 PM10/25/12
to ossec...@googlegroups.com
Thank you Alessandro,
maybe you could share the DSM with Q1munnity, I have asked question there on ossec.
In that way we could attract vendor's attention and review, and maybe even incorporate your work into distribution for forther development.
Thank you,
vilius
--
/Vilius
/Vilius
Reply all
Reply to author
Forward
0 new messages