Hi Vilius,
We've integrated OSSEC with our Q1Labs QRadar with limited success.
Basically, we use the native QRadar ALE Agent on Windows, and native syslog on Linux to forward events to the Qradar SIEM; as well as forwarding category 10+ alerts from our OSSEC server to Qradar - this is mainly to capture file integrity and other system changes not apparent through forwarding system events alone.
We've written a custom Log Source Extension for QRadar to parse the essential fields (hostname, Source/Destination IP, etc.) from OSSEC events, but for some reason we cannot extract all fields we'd expected. In some cases, we can do custom extractions on QRadar events to tease-out additional
details from OSSEC events, but this is sub-optimal because custom extractions are not indexed and therefore less search-friendly than natively parsed data fields.
In my experience, because of the way OSSEC normalizes the events, I think you would lose some details you would otherwise get from events sent from QRadar's ALE or WinCollect agent and having the built-in Qradar Windows DSM (parser) interpret the events.
In other words, it's probably best you use Q1s' agent to forward
events from Windows hosts to Qradar, and not use OSSEC as a middle-man.
Your mileage may vary...
P.S. I'd be glad to share our custome log extension for OSSEC if you would like to try it.
Alessandro