To send data from a flat-file log on a server to QRadar, you need to set up a log source in QRadar to collect and process the logs. Here’s a step-by-step guide to accomplish this:
WinCollect is a Windows-based agent provided by IBM for QRadar to collect logs. Here are the steps to install and configure it:
- Download and Install WinCollect: Download the WinCollect agent from IBM's website and install it on your server.
- Configure the WinCollect Agent: During installation, configure the agent to point to your QRadar instance.
- Open the WinCollect Configuration Console.
- Add a new log source:
- Log Source Name: Give a descriptive name.
- Log Source Identifier: This should be unique for each log source.
- Log Source Type: Choose
MS Windows Event Log
orMS Windows Event Log - Local
.
- For file monitoring, you need to configure the agent to read the
APPAudit.log
file:- Go to the
Log Source Parameters
. - Set the
Log File Path
toC:\Program Files\CyberArk\ApplicationPasswordProvider\Logs\APPAudit.log
.
- Go to the
- Add Log Source: Go to the Admin tab in QRadar and click on
Log Sources
underData Sources
. - Create New Log Source:
- Log Source Type: Choose
WinCollect
. - Protocol Configuration: Select the protocol that matches your configuration (e.g., Syslog if using Syslog protocol).
- Log Source Identifier: Enter the identifier you configured in WinCollect.
- Log Source Parameters:
- Log Source Type: Set as
Microsoft Windows Security Event Log
or another appropriate type. - Hostname or IP Address: Enter the IP address of the server where WinCollect is installed.
- Log Source Type: Set as
- Advanced Options: Configure any additional options needed for your environment.
- Log Source Type: Choose
- Start the WinCollect service on the server.
- Verify that the data is being sent to QRadar:
- Go to the
Log Activity
tab in QRadar. - Filter logs based on your new log source to ensure logs are being received.
- Go to the
If you prefer scripting the log forwarding, you can use a PowerShell script to send logs to QRadar via Syslog:
$logFile = "C:\Program Files\CyberArk\ApplicationPasswordProvider\Logs\APPAudit.log"
$qradarIp = "QRADAR_SERVER_IP"
$qradarPort = 514
Get-Content -Path $logFile -Tail 0 -Wait | ForEach-Object {
$logEntry = $_
$syslogMessage = "<134>1 $(Get-Date -Format o) $(hostname) - - - $logEntry"
$udpClient = New-Object System.Net.Sockets.UdpClient
$udpClient.Connect($qradarIp, $qradarPort)
$encodedMessage = [System.Text.Encoding]::UTF8.GetBytes($syslogMessage)
$udpClient.Send($encodedMessage, $encodedMessage.Length)
$udpClient.Close()
}
Replace QRADAR_SERVER_IP
with your QRadar server's IP address. Save this script as SendLogsToQRadar.ps1
and run it on the server.
This will continuously send new log entries from the APPAudit.log
file to QRadar over UDP Syslog.
- Install and configure WinCollect on the server.
- Configure WinCollect to monitor the specific log file.
- Add a corresponding log source in QRadar.
- Verify log data collection in QRadar.
This setup will ensure that your flat-file log data from APPAudit.log
is sent to and processed by QRadar efficiently.