Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Generic Firewall

 

The generic firewall server DSM for JSA accepts events by using syslog. JSA records all relevant events.

Configure JSA to interpret the incoming generic firewall events, and manually create a log source.

Configuring Event Properties

Configuration of JSA to interpret the incoming generic firewall events.

Use the following procedure to configure event properties:

  1. Forward all firewall logs to your JSA.

    For information on forwarding firewall logs from your generic firewall to JSA, see your firewall vendor documentation.

  2. Open the following file:

    /opt/ qradar /conf/genericFirewall.conf

    Make sure you copy this file to systems that host the Event Collector and the JSA console.

  3. Restart the Tomcat server:

    service tomcat restart

    A message is displayed indicating that the Tomcat server is restarted.

  4. Enable or disable regular expressions in your patterns by setting the regex_enabled property. By default, regular expressions are disabled.

    For example:

    regex_enabled=false

    When you set the regex_enabled property to <false>, the system generates regular expressions based on the tags you entered while you try to retrieve the corresponding data values from the logs.

    When you set the regex_enabled property to <true>, you can define custom regex to control patterns. These regex configurations are directly applied to the logs and the first captured group is returned. When you define custom regex patterns, you must adhere to regex rules, as defined by the Java programming language. For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/

    To integrate a generic firewall with JSA, make sure that you specify the classes directly instead of using the predefined classes. For example, the digit class (/\d/) becomes /[0-9]/. Also, instead of using numeric qualifiers, rewrite the expression to use the primitive qualifiers (/?/,/*/ and /+/).

  5. Review the file to determine a pattern for accepted packets.

    For example, if your device generates the following log messages for accepted packets:

    Aug. 5, 2005 08:30:00 Packet accepted. Source IP: 192.168.1.1 Source Port: 80 Destination IP: 192.168.1.2 Destination Port: 80 Protocol: tcp

    The pattern for accepted packets is Packet accepted.

  6. Add the following to the file:

    accept_pattern=<accept pattern>

    Where: <accept pattern> is the pattern that is determined in Step 5. For example:

    accept pattern=Packet accepted

    Patterns are case insensitive.

  7. Review the file to determine a pattern for denied packets.

    For example, if your device generates the following log messages for denied packets:

    Aug. 5, 2005 08:30:00 Packet denied. Source IP: 192.168.1.1 Source Port: 21 Destination IP: 192.168.1.2 Destination Port: 21 Protocol: tcp

    The pattern for denied packets is Packet denied.

  8. Add the following to the file:

    deny_pattern=<deny pattern>

    Where: <deny pattern> is the pattern that is determined in Step 7.

    Patterns are case insensitive.

  9. Review the file to determine a pattern, if present, for the following parameters:
    • source ip

    • source port

    • destination ip

    • destination port

    • protocol

    For example, if your device generates the following log message:

    Aug. 5, 2005 08:30:00 Packet accepted. Source IP: 192.168.1.1 Source Port: 80 Destination IP: 192.168.1.2 Destination Port: 80 Protocol: tcp

    The pattern for source IP is Source IP.

  10. Add the following to the file:
    • source_ip_pattern=<source ip pattern>

    • source_port_pattern=<source port pattern>

    • destination_ip_pattern=<destination ip pattern>

    • destination_port_pattern=<destination port pattern>

    • protocol_pattern=<protocol pattern>

    Where: <source ip pattern>, <source port pattern>, <destination ip pattern>, <destination port pattern>, and <protocol pattern> are the corresponding patterns that are identified in step 9.

    Note

    Patterns are case insensitive and you can add multiple patterns. For multiple patterns, separate by using a # symbol.

  11. Save and exit the file.

    You are now ready to configure the log source in JSA.

Syslog Log Source Parameters for Generic Firewall

If JSA does not automatically detect the log source, add a Generic Firewall Server log source on the JSA Console by using the syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from Generic Firewall:

Table 1: Syslog Log Source Parameters for the Generic Firewall DSM

Parameter

Value

Log Source Name

Type a name for your log source.

Log Source Description

Type a description for the log source.

Log Source type

Configurable Firewall Filter

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your generic Firewall appliance.