Hi folks! I’m glad of receiving good feedback from you guys! The topic of this post was one recent request from our followers, asking about what the best way to send windows logs to QRadar is. As you can imagine, there’s no best solution, it depends on what kind of environment we have. So to reply this question as simple and short as possible, I created the following table comparing some log collection methods.
To get more information about the Snare Agent, you can check out the vendor website. To get more information about the another two collection methods, you can check out our post about configuring log sources and the official documentation in this another post.
Do you have any question or suggestion? Let us know in the comments!
In this post we are going to explain in a simply way how to change the SSL certificate of QRadar. For the folks that already worked with IBM products know how tricky it were, but with QRadar it is way easier. In less than 10 steps you can import your self-signed or trusted certificated into QRadar.
- Get your self-signed or trusted certificate (remember: you need the public and private key);
- Log into your QRadar console using SSH;
- Transfer the certificate to some folder inside the QRadar, example:
/certificates/qradar_priv_certificate.pfx and /certificates/qradar_public_certificate.cer
- Execute the following command: /opt/qradar/bin/install_ssl_cert.sh -i
- The script will ask you the path to the private certificate file. Just type the path you used on step 3.
- The script can ask you the public certificate, just type the path you used on step 3;
- To confirm the change, type ‘y’ and press enter;
- After the completion, restart the hostcontext service using the command:
service hostcontext restart
- After the restarting the service, open the QRadar using HTTPs using your browser and verify the certificate;
Basically, the QRadar will make all the tricky part and will update the SSL certificate for you.
You can find the official documentation about the SSL certificate change in this link (that basically explain this 10 steps in 10 pages).
The QRadar solution offers two types of license by default: High Availability and Disaster Recovery. These licenses can be very useful in medium-large environments making the system more reliable. Both of licenses need to be purchased separately from the base QRadar license, and we know that most of the cases the clients want a solution to reach the compliance levels but with no extra cost. So one possible solution is creating a Cold Backup. You will not find it on the regular IBM documentation, so make sure that you follow carefully the steps of this post, the procedure is easy for people who already have QRadar experience.
Just a quick stop to explain what is a cold backup: Basically is a “clone” from the primary server, and it has the same configuration than the main server but stay always powered off. In case of some failure in the main server the staff should manually power the cold backup on. After restoring the primary server (and before turning it on), the cold backup should be powered off manually. This solution in most of the cases don’t need an extra license, you can use the same than the primary server but should NEVER have the both servers online at same time. Please consult your IBM sales representative before considering the cold backup, the laws can change between countries.
So, here is the high level steps. If you have any question on the steps, please leave a comment. Make sure that you understand all the process before doing it.
- Verify and take note of all the network configuration of the Primary server. You should have: IP, DNS, Gateway, hostname, email server, etc;
- Create an configuration backup of your primary QRadar;
- Turn off the primary QRadar server;
- Install (or re-install) the QRadar in the cold backup server using the network information gathered on the step 1;
- Apply on the cold backup the same license file than the primary server;
- After the finish of the installation, access the web interface of the cold backup, and import the backup generated on the step 2;
- Verify the logs collection and all the imported configuration;
- Turn off the cold backup server;
- Turn on the primary server;
Some considerations about this cold backup solution:
- The primary and cold backup should NEVER be on at same time. Make sure that you power off one server before turning on the other;
- All the transition process is manual, so when you have a failure in the primary you should manually turn the primary off and turn the cold backup on;
- The cold backup server may be not supported by the IBM official support. You should always consider buying a High-Availability or Disaster-Recovery license;
- The log data from the Primary will not be on the cold backup, and the log data in the cold backup will not be in the primary. To synchronize the data between the two servers you can use a external storage or manually import the data;
- Please make sure that you understand the whole process before doing it, we are not responsible for any misconfiguration issue;
- The both servers need to be in the same subnet;
- Remember that every configuration done in the Primary server should be replicated to the cold backup. To do it, just export the configuration from the primary (step 2) and import on the cold backup (step 6);
- Once a month run the updates on the ColdBackup to keep it updated;
- And again: Ensure that the both servers are never online at same time;
And as always, if you have any question or sugestion, let us know in the comments!