Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    IBM Packet Capture

    The JSA DSM for Packet Capture collects events from a Packet Capture device.

    The following table describes the specifications for the Packet Capture DSM:

    Table 1: Packet Capture DSM Specifications

    Specification

    Value

    Manufacturer

    IBM

    DSM name

    JSA Packet Capture

    RPM file name

    DSM-IBMQRadarPacketCapture-JSA_version-build_number.noarch.rpm

    Supported versions

    JSA Packet Capture 2014.3 to 2014.7

    JSA Network Packet Capture 7.3.0

    Protocol

    Syslog

    Event format

    LEEF

    Recorded event types

    All events

    Automatically discovered?

    Yes

    Includes identity?

    No

    Includes custom properties?

    No

    More information

    IBM website (http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_pcap_introduction.html)

    To integrate Packet Capture with JSA, complete the following steps:

    1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:

      • DSMCommon RPM

      • Packet Capture DSM RPM

    2. Configure your Packet Capture device to send syslog events to JSA.

    3. If JSA does not automatically detect the log source, add a Packet Capture log source on the JSA Console. The following table describes the parameters that require specific values to collect events from Packet Capture:

      Table 2: Packet Capture Log Source Parameters

      Parameter

      Value

      Log Source type

      Packet Capture

      Protocol Configuration

      Syslog

    4. To verify that JSA is configured correctly, review the following tables to see examples of parsed event messages.

      The following table shows a sample event message from Packet Capture:

      Table 3: Packet Capture Sample Message

      Event name

      Low level category

      Sample log message

      User Added

      User Account Added

      May 10 00:01:04 9_24_202_133 LEEF: 2.0|IBM|QRadar Packet Capture|7.2.7.255-1G |UserAdded|cat=Admin msg=User continuum has been added

      The following table shows a sample event message from Network Packet Capture:

      Table 4: Network Packet Capture Sample Message

      Event name

      Low level category

      Sample log message

      Packet Capture Statistics

      Information

      <14>Mar 1 20:39:41 localhost LEEF: 2.0|IBM|Packet Capture|7.3.0|1|^| captured_packets=8844869^captured _packets_udp=4077106^captured_ bytes_udp=379169082^total_packets =9090561^captured_bytes=27938019 18^captured_bytes_tcp=2379568101 ^compression_ratio=27.4^captured _packets_tcp=4356387^oldest_packet =2017-03-01T20:39:41.915555490Z^ total_bytes=2853950159

    Configuring Packet Capture to Communicate with JSA

    To collect IBMQRadar Packet Capture events, you must configure event forwarding to a remote syslog server.

    1. Using SSH, log in to your Packet Capture device as the root user.
    2. Choose one of the following options to enable syslog.
      1. Option 1: Open the /etc/rsyslog.conf file in a text editor such as vi:

        vi /etc/rsyslog.conf

        Then add the following line at the end of the file:

        *.* @@<QRadar Event collector IP>:514

      2. Option 2: Create the <filename>.conf file in the /etc/rsyslog.d/ directory, and then add the following line to the file that you created:

        *.* @@<QRadar Event collector IP>:514

    3. Restart the Syslog service by typing the following command:

      service rsyslog restart

      The message logs are sent to the JSA Event Collector and local copies are saved.

      Note: JSA parses only LEEF events for Packet Capture. On the Log Activity tab in JSA, the Event Name displays as Packet Capture Message and the Low Level Category displays as Stored for all other events.

    To verify that LEEF events are being logged on your Packet Capture device, inspect /var/log/messages.

    tail /var/log/messages

    Configuring Network Packet Capture to Communicate with JSA

    To collect Network Packet Capture events, you must configure a remote Syslog server for your Network Packet Capture appliance.

    1. Log in to your Network Packet Capture appliance as administrator.
    2. Click Admin.
    3. In the REMOTE SYSLOG SETUP pane, enable system logging.
    4. Enable the UPD or TCP protocol, depending on your transfer settings.
    5. In the Remote Syslog Server Port field, type the port number that you want to use to send remote syslog events. The default port number for remote syslog is 514.
    6. In the Remote Syslog Server field, type the IP address for your JSA Event Collector to which you want to send events.
    7. Click Apply.

      Note: JSA parses only LEEF events for Network Packet Capture. On the Log Activity tab in JSA, the Event Name displays as Packet Capture Message and the Low Level Category displays as Stored for all other events.

    Modified: 2017-09-13