5.1 QRadar Login Integration
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Welcome back to the summary course
00:00
in Building your InfoSec Lab.
00:00
I'm your host and instructor, Kevin Hernandez.
00:00
In our last module, we went over
00:00
the basics of PFSense installation.
00:00
We went over IPS, web proxy,
00:00
and the VPN configurations that were either through
00:00
modules or through its own built-in features.
00:00
In today's lesson, we're actually going to integrate
00:00
these PFSense logs into QRadar. Now, let's get started.
00:00
Before we actually jump into
00:00
QRadar and start working with it,
00:00
we need to configure log sources to send data to it.
00:00
Since we just finished working with the PFSense,
00:00
let's go ahead and start with PFSense to send logs
00:00
to QRadar. Now, let's log in.
00:00
Here we go. Let's go over to Status, System Logs.
00:00
Here we go. Now, these are logs itself for the system.
00:00
Now, we got to make sure we actually
00:00
forward these to our QRadar appliance.
00:00
Let's go ahead to Settings.
00:00
Right here in the bottom,
00:00
you can see Remote Logging Options.
00:00
Right here, enable remote logging,
00:00
send log message to remote sys log server.
00:00
This is exactly what we want to do. Let's click on that.
00:00
Now, you have a source address,
00:00
IP protocol, and
00:00
here's where we actually start configuring.
00:00
Remote log servers,
00:00
IP port, IP port,
00:00
and IP port. What does this mean?
00:00
It means that we actually can send this to
00:00
three different appliances at the same time.
00:00
Now, let's go here, QRadar,
00:00
grab the IP, copy and paste.
00:00
You can ask to send everything, and hit "Save".
00:00
Let's give it a minute for it to apply the settings.
00:00
In the meantime, let's log in.
00:00
[inaudible]
00:00
slowly. Let's give it a second.
00:00
There we go. QRadar is loading.
00:00
I guess we already have a notification on top.
00:00
It's updates were completed.
00:00
Normal operations are unable to determine
00:00
associated log source for IP address,
00:00
unable to automatically detect.
00:00
This itself over here, you can see,
00:00
unable to differentiate associated log source for
00:00
IP address 192.168.1.1.1,
00:00
that is our PF sense logs.
00:00
If you go to our Admin right here,
00:00
let's give it a minute, there we go,
00:00
and we go to Log Sources.
00:00
You can see, there's nothing. The reason it says nothing
00:00
is because nothing has been applied.
00:00
Now, if we look here,
00:00
it needs to update x force and RemoteNet,
00:00
we can leave that for later.
00:00
If you do want to see how to do that,
00:00
you can use click in "Deploy
00:00
Changes", and it would apply.
00:00
Let's see if the logs are at least being nice here.
00:00
Let's give it a second. You can see,
00:00
there we go, that we are
00:00
indeed receiving logs in QRadar.
00:00
You can see, it's CentOs right here.
00:00
Actually, this might be
00:00
the hard drive itself. Sorry, this CentOS.
00:00
You can see 1.1 right here in the source IP.
00:00
Let me actually turn on the pointer.
00:00
Right here, source IP is what we get.
00:00
Now, the reason is not being
00:00
recognized because most likely,
00:00
device is not fully supported and therefore,
00:00
we have to do manual configuration on itself.
00:00
You can see here,
00:00
we see some interfaces,
00:00
we see a blog, and we see a MAC address right here.
00:00
We do need to work with this,
00:00
and how we work with this is we Writexs.
00:00
With Writexs, we'll be able to
00:00
incorporate this logs properly
00:00
formatted into our log sources.
00:00
Or if you click "Next",
00:00
you can see that the format is very similar.
00:00
Obviously, if we go back to the firewall,
00:00
here we go to logs,
00:00
we can see a very similar type of log.
00:00
It obviously depends on what type
00:00
of access or what type of activity we're seeing.
00:00
For example, here, we're
00:00
seeing those blog messages right here,
00:00
you can see the IP or the source, FE80.
00:00
We go here, somewhere are here.
00:00
Let me go to the previous one.
00:00
Here we go, FE80.
00:00
This, it's this right here.
00:00
That's how you start incorporating things into QRadar.
00:00
Now, in order to add additional tools,
00:00
there's several options we have.
00:00
Right here,
00:00
QRadar DSM configuration guide
00:00
is one of the things you want to look at it.
00:00
If you can see, I visit this fairly often.
00:00
Once you click on it, you get the pop up to save it.
00:00
You can save it. Then open it.
00:00
Here, this is a July 2019.
00:00
Now, in here, you can see the different type of
00:00
appliances that can be implemented or added into QRadar.
00:00
Now, you see Apache,
00:00
box, blue code, etc.
00:00
Let's look for PF sense.
00:00
If you can see, it's not there.
00:00
That's the reason why it's not been
00:00
manually recognized in the log sources as earlier.
00:00
We're going to give it a little look and
00:00
try to configure our own log source such as this,
00:00
building a universal DSM. Let's go here.
00:00
You can see, it's very similar to what we've seen.
00:00
You go to the Admin tab, Log Sources,
00:00
Add, Log Source Type,
00:00
Universal DSM, you might pick a Log Source Extension,
00:00
and then you start configuring it.
00:00
Let's do that fairly quickly.
00:00
Let me go back here, Log Sources.
00:00
There we go, Then I'll go Add.
00:00
There we go. Log source name,
00:00
I'll call it PFSense.
00:00
Description, I'm going to NextGenFirewall.
00:00
Let's just call it firewall.
00:00
This log source type, you can see here,
00:00
you do have those options we just mentioned.
00:00
You can see, PFSense is nowhere to be found in here.
00:00
We'll go with Universal DSM for now.
00:00
You can see, it's sys log.
00:00
Log source identifier,
00:00
it's RIP and it's enabled.
00:00
In this case, since it's
00:00
one appliance, even collector itself.
00:00
Let's hit "Save". Now, here we go.
00:00
Obviously, until you don't
00:00
deploy this, it might not work.
00:00
Let's go back here. Here we go.
00:00
Now, it should actually
00:00
show that log source to be added as well.
00:00
Now, this takes from one to 20 minutes,
00:00
depending how big your environment is,
00:00
so let's give it a few minutes.
00:00
I'll continue the lesson afterwards.
00:00
After a few minutes, you can see now,
00:00
the bar is blue instead of yellow.
00:00
Now, if we go back to Log Sources,
00:00
now, instead of just saying installed, you can see,
00:00
it's actually success,
00:00
and you can see that event right here, last event time,
00:00
you can see they're coming in right there.
00:00
If we go back to Log Activity,
00:00
return to event list,
00:00
and we'll look for the last five minutes.
00:00
Here we go. If we look down here,
00:00
you can see that PFSense is now
00:00
a log source inside QRadar.
00:00
Now, let's take a short break.
00:00
In our next lesson, we'll actually start
00:00
configuring PFSense
00:00
as a DSM log source. What did we learned today?
00:00
We added PFSense logs into QRadar and
00:00
integrated them as universal DSM.
00:00
In our next lesson, we'll actually start creating
00:00
custom properties for these log source
00:00
that we just created.
00:00
Hope to see you soon. Have a great day.
Up Next
Instructed By
Similar Content
