Setup CentOS for IBM QRadar CE Integration with VMware Workstation

Overview

This is a guide to setup CentOS for IBM QRadar CE Integration with VMware Workstation and send logs to QRadar CE.

CentOS in this setup will act as a client that will be monitored by QRadar CE.

Prerequisites

• VMware Workstation Pro or VMware Workstation Player
• QRadar CE ISO

Setup

Note: Before you start, make sure your QRadar CE VM is already running.

1. Open VMware Workstation and click Open a Virtual Machine

or you can click File > Open… or use the shortcut Ctrl + O

2. Select the QRadar CE ISO file and click Open

3. Name the VM and select the location to save the VM, then click Import

4. Wait for the import to complete then click Edit virtual machine settings

5. Change the virtual machine settings as needed

In my setup, I changed the following settings:

• Memory: 512 MB
• Processors: 1
• Network Adapter: NAT

Note: We don’t need that much memory and processors for this setup, because we will only use it as a dummy server/client. You can change the settings later if you need more memory and processors.

Change the memory from 6 GB to 512 MB (or as needed)

Change the processors from 2 to 1 (or as needed)

Change the network adapter from Bridged to NAT, then click OK

So the final settings will be like this:

6. Power on the VM

7. Wait for the VM to boot up and login with the root user and create a new password

Note: Don’t forget the password that you created, because you will need it later.

8. Configure the network

Type nmtui to open the Network Manager Text User Interface

• Select Set system hostname and press Enter

• Set the hostname, in my setup I set it to centos and press Enter

• Select OK and press Enter

• Select Quit and press Enter

• type clear to clear the screen

• type bash to refresh the bash shell, so the hostname will be updated

• Check the connection by typing ping google.com and press Enter

• Check the IP address by typing ip -br addr and press Enter

Note: Take note of the IP address, because you will need it later.

In my case, the IP address is 192.168.211.128

9. SSH to the VM centos

You can use PuTTY , Windows Terminal , Windows Subsystem for Linux (WSL) , MobaXterm or any other SSH client you want.

In my case, I use Termius .

• Set the details as needed

• Type ssh root@<IP address> and press Enter
• Type password that you created earlier and press Enter
• In Termius you can connect to the VM using Quick Connect feature, so you don’t need to type the IP address and password every time you want to connect to the VM.

• Voila! You are now connected to the VM

10. Install the required packages and dependencies

• Type yum install audit and press Enter

• Type y if prompted and press Enter

11. Configure the auditd service

• Start the auditd service by typing service start auditd and press Enter
• If you get a warning, just type systemctl daemon-reload and press Enter
• Type service start auditd and press Enter again

• Type chkconfig auditd on and press Enter to enable the auditd service

• Type service auditd status and press Enter to check the status of the auditd service

• If you encounter an error like this:

The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

• Just type systemctl start auditd and press Enter to start the auditd service.

12. Configure the audit rules

• Type vi /etc/audisp/plugins.d/syslog.conf and press Enter to edit the syslog.conf file

• Press i to enter the insert mode

• Change the content of the syslog.conf file to this:

  • active = yes
  • direction = out
  • path = builtin_syslog
  • type = builtin
  • args = LOG_LOCAL6
  • format = string

• So the final content of the syslog.conf file will be like this:

• Press Esc to exit the insert mode
• Type :wq and press Enter to save and exit the file

13. Configure the rsyslog service

• Type vi /etc/rsyslog.conf and press Enter to edit the rsyslog.conf file

• Press shift + G to go to the end of the file
• Press O to enter the insert mode and add this line at the end of the file:
  • *.* @<IP_ADDRESS_QRADAR>:514
• Check the IP address of the QRadar CE VM, in my case the IP address is 192.168.211.129

• Like this:

• Press Esc to exit the insert mode
• Type :wq and press Enter to save and exit the file

14. Restart the auditd and rsyslog services

• Type service auditd restart and press Enter to restart the auditd service

• Type systemctl restart rsyslog and press Enter to restart the rsyslog service

15. Open the QRadar CE Dashboard on your browser and add a filter

• Open your browser and go to https://<IP_ADDRESS_QRADAR>
• Login with the username admin and your password
• Click Log Activity and click Add Filter

• Add a filter with the following details:
  • Parameter: Source IP [Indexed]
  • Operator: Equals
  • Value: <IP_ADDRESS_CENTOS>, in my case the IP address is 192.168.211.128

• Change the View to Real Time (streaming)

16. Test the log with add user in the centos VM

• Type useradd test and press Enter to add a new user

• If you get Unknown log event, you can restart the auditd and rsyslog services again
• Type service auditd restart and press Enter to restart the auditd service
• Type systemctl restart rsyslog and press Enter to restart the rsyslog service
• Type useradd test and press Enter again to add a new user
• Now you can see the activity log in the QRadar CE Dashboard
• You can also see the log in the /var/log/audit/audit.log file in the centos VM

• Test deleting the user by typing userdel test and press Enter

• Now you can see the activity log in the QRadar CE Dashboard, notice that the Event Name is contains user deletion activity.

• You can try with other activities like usermod, userpasswd, usergroup, login and logout, change some configuration, etc.

17. Voila! You have successfully setup CentOS for IBM QRadar CE Integration with VMware Workstation

You can now explore the QRadar CE Dashboard and see the logs from your CentOS VM.

References

• https://www.ibm.com/community/qradar/ce/
• https://www.ibm.com/docs/en/SS42VS_7.4/pdf/b_siem_inst.pdf
• https://www.ibm.com/docs/en/SS42VS_7.4/pdf/b_qradar_system_notifications.pdf
• https://www.ibm.com/community/qradar/wp-content/uploads/sites/5/2020/03/QRadar_CE_Under_the_Radar_21Feb.pdf
• https://www.ibm.com/docs/en/qradar-on-cloud?topic=support-common-problems
• https://www.ibm.com/docs/en/qsip
• http://ftpmirror.your.org/pub/misc/ftp.software.ibm.com/software/security/products/qradar/documents/7.2.4/QLM/EN/b_qradar_system_notifications.pdf
• https://www.reddit.com/r/QRadar/comments/p5lfzz/best_strategy_for_monitor_linux_servers/
• Forwarding Syslogs from Linux Hosts to QRadar
• Sending Linux logs to QRadar (rsyslog.conf) by Jose Bravo
• Mastering Linux OS Integration with IBM QRadar: A Comprehensive Guide to Supercharge Your Security” by Ahmad Hassan Tariq
• Guide/learning material from Infinite Learning HCAI Program (I can’t share the material/content directly, because it’s confidential and belong to Infinite Learning and IBM Academy)