Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

ON THIS PAGE

Generic Firewall

 

The generic firewall server DSM for JSA accepts events by using syslog. JSA records all relevant events.

Configure JSA to interpret the incoming generic firewall events, and manually create a log source.

Configuring Event Properties

Configuration of JSA to interpret the incoming generic firewall events.

Use the following procedure to configure event properties:

  1. Forward all firewall logs to your JSA.

    For information on forwarding firewall logs from your generic firewall to JSA, see your firewall vendor documentation.

  2. Open the following file:

    /opt/ qradar /conf/genericFirewall.conf

    Make sure you copy this file to systems that host the Event Collector and the JSA console.

  3. Restart the Tomcat server:

    service tomcat restart

    A message is displayed indicating that the Tomcat server is restarted.

  4. Enable or disable regular expressions in your patterns by setting the regex_enabled property. By default, regular expressions are disabled.

    For example:

    regex_enabled=false

    When you set the regex_enabled property to <false>, the system generates regular expressions based on the tags you entered while you try to retrieve the corresponding data values from the logs.

    When you set the regex_enabled property to <true>, you can define custom regex to control patterns. These regex configurations are directly applied to the logs and the first captured group is returned. When you define custom regex patterns, you must adhere to regex rules, as defined by the Java programming language. For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/

    To integrate a generic firewall with JSA, make sure that you specify the classes directly instead of using the predefined classes. For example, the digit class (/\d/) becomes /[0-9]/. Also, instead of using numeric qualifiers, rewrite the expression to use the primitive qualifiers (/?/,/*/ and /+/).

  5. Review the file to determine a pattern for accepted packets.

    For example, if your device generates the following log messages for accepted packets:

    Aug. 5, 2005 08:30:00 Packet accepted. Source IP: 192.168.1.1 Source Port: 80 Destination IP: 192.168.1.2 Destination Port: 80 Protocol: tcp

    The pattern for accepted packets is Packet accepted.

  6. Add the following to the file:

    accept_pattern=<accept pattern>

    Where: <accept pattern> is the pattern that is determined in Step 5. For example:

    accept pattern=Packet accepted

    Patterns are case insensitive.

  7. Review the file to determine a pattern for denied packets.

    For example, if your device generates the following log messages for denied packets:

    Aug. 5, 2005 08:30:00 Packet denied. Source IP: 192.168.1.1 Source Port: 21 Destination IP: 192.168.1.2 Destination Port: 21 Protocol: tcp

    The pattern for denied packets is Packet denied.

  8. Add the following to the file:

    deny_pattern=<deny pattern>

    Where: <deny pattern> is the pattern that is determined in Step 7.

    Patterns are case insensitive.

  9. Review the file to determine a pattern, if present, for the following parameters:

    • source ip

    • source port

    • destination ip

    • destination port

    • protocol

    For example, if your device generates the following log message:

    Aug. 5, 2005 08:30:00 Packet accepted. Source IP: 192.168.1.1 Source Port: 80 Destination IP: 192.168.1.2 Destination Port: 80 Protocol: tcp

    The pattern for source IP is Source IP.

  10. Add the following to the file:

    • source_ip_pattern=<source ip pattern>

    • source_port_pattern=<source port pattern>

    • destination_ip_pattern=<destination ip pattern>

    • destination_port_pattern=<destination port pattern>

    • protocol_pattern=<protocol pattern>

    Where: <source ip pattern>, <source port pattern>, <destination ip pattern>, <destination port pattern>, and <protocol pattern> are the corresponding patterns that are identified in step 9.

    Note

    Patterns are case insensitive and you can add multiple patterns. For multiple patterns, separate by using a # symbol.

  11. Save and exit the file.

    You are now ready to configure the log source in JSA.

Configuring a Log Source

To integrate generic firewalls with JSA, you must manually create a log source to receive the events as JSA does not automatically discover or create log sources for events from generic firewall appliances.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.

    The Data Sources pane is displayed.

  4. Click the Log Sources icon.

    The Log Sources window is displayed.

  5. Click Add.

    The Add a log source window is displayed.

  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select Configurable Firewall Filter.
  9. Using the Protocol Configuration list, select Syslog.

    The syslog protocol configuration is displayed.

  10. Configure the following values:

    Table 1: Syslog Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your generic firewall appliance.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

    The log source is added to JSA. Events that are forwarded to JSA by generic firewalls are displayed on the Log Activity tab.