Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring a TLS Log Source

To encrypt events and send to JSA, you must configure a log source with a TLS Syslog protocol to establish communication with JSA on port 6514.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click Log Sources > Add.
  5. Configure the following parameters:
    Table 1: TLS Log Source for Wincollect Destination

    Parameter

    Description

    Protocol Configuration

    TLS Syslog

    Log Source Identifier

    An IP address or host name to identify the log source.

    TLS Listen Port

    The default TLS listen port is 6514.

    Authentication Mode

    The mode by which your TLS connection is authenticated. If you select the TLS and Client Authentication option, you must configure the certificate parameters.

    Client Certificate Path

    The absolute path to the client-certificate on disk. The certificate must be stored on the JSA Console or Event Collector for this log source.

    Certificate Type

    The type of certificate to use for authentication for the server certificate and server key.

    Select one of the following options from the Certificate Type list:

    • Generated Certificate

    • Single Certificate and Private Key

    • PKCS12 Certificate and Password

    Generated Certificate

    This option is available when you configure the Certificate Type.

    If you want to use the default certificate and key that is generated by JSA for the server certificate and server key, select this option.

    Single Certificate and Private Key

    This option is available when you configure the Certificate Type.

    If you want to use a single PEM certificate for the server certificate, select this option and then configure the following parameters:

    • Provided Server Certificate Path - The absolute path to the server certificate.

    • Provided Private Key Path - The absolute path to the private key.

    Note:

    The corresponding private key must be a DER-encoded PKCS8 key. The configuration fails with any other key format.

    PKCS12 Certificate and Password

    This option is available when you configure the Certificate Type.

    If you want to use a PKCS12 file that contains the server certificate and server key, select this option and then configure the following parameters:

    • PKCS12 Certificate Path - Type the file path for the PKCS12 file that contains the server certificate and server key.

    • PKCS12 Password - Type the password to access the PKCS12 file.

    • Certificate Alias - If there is more than one entry in the PKCS12 file, an alias must be provided to specify which entry to use. If there is only one alias in the PKCS12 file, leave this field blank.

    Max Payload Length

    The maximum payload length (characters) that is displayed for TLS Syslog message.

    Maximum Connections

    The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector. There is a limit of 1000 connections across all TLS syslog log source configurations for each Event Collector. The default for each device connection is 50.

    Note:

    Automatically discovered log sources that share a listener with another log source. For example, if you use the same port on the same event collector, it counts only one time towards the limit.

    TLS Protocols

    The TLS Protocol to be used by the log source. Select one of the following options:

    • TLS 1.2 and above

    • TLS 1.1 and above

    • TLS 1.0 and above

    To avoid security vulnerabilities, use TLS 1.2 and above.

    Use As A Gateway Logsource

    Sends collected events through the JSA Traffic Analysis Engine to automatically detect the appropriate log source.

    You must select this in order for JSA to detect/create the correct log source for events.

    When this option is not selected and Log Source Identifier Pattern is not configured, JSA receives events as unknown generic log sources.

    Log Source Identifier Pattern

    If you selected Use As A Gateway Log Source, use this option to define a custom log source identifier for events that are being processed and for log sources to be automatically discovered when applicable. If you don't configure the Log Source Identifier Pattern, JSA receives events as unknown generic log sources.

    Use key-value pairs to define the custom Log Source Identifier. The key is the Identifier Format String, which is the resulting source or origin value. The value is the associated regex pattern that is used to evaluate the current payload. This value also supports capture groups that can be used to further customize the key.

    Define multiple key-value pairs by typing each pattern on a new line. Multiple patterns are evaluated in the order that they are listed. When a match is found, a custom Log Source Identifier displays.

    The following examples show multiple key-value pair functions.

    Patterns

    VPC=\sREJECT\sFAILURE
    $1=\s(REJECT)\sOK
    VPC-$1-$2=\s(ACCEPT)\s(OK)

    Events

    {LogStreamName: LogStreamTest,Timestamp:
    0,Message: ACCEPT OK,IngestionTime: 0,EventId:
    0}

    Resulting custom log source identifier

    VPC-ACCEPT-OK

    Enable Multiline

    Aggregate multiple messages into single events based on a Start/End Matching or an ID-Linked regular expression.

    Aggregation Method

    This parameter is available when Enable Multiline is turned on.

    • ID-Linked - Processes event logs that contain a common value at the beginning of each line.

    • Start/End Matching - Aggregates events based on a start or end regular expression (regex).

    Event Start Pattern

    This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to Start/End Matching.

    The regular expression (regex) that is required to identify the start of a TCP multiline event payload. Syslog headers typically begin with a date or timestamp. The protocol can create a single-line event that is based on solely on an event start pattern, such as a timestamp. When only a start pattern is available, the protocol captures all the information between each start value to create a valid event.

    Event End Pattern

    This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to Start/End Matching.

    This regular expression (regex) that is required to identify the end of a TCP multiline event payload. If the syslog event ends with the same value, you can use a regular expression to determine the end of an event. The protocol can capture events that are based on solely on an event end pattern. When only an end pattern is available, the protocol captures all the information between each end value to create a valid event.

    Message ID Pattern

    This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to id-Linked.

    This regular expression (regex) required to filter the event payload messages. The TCP multiline event messages must contain a common identifying value that repeats on each line of the event message.

    Time Limit

    This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to id-Linked.

    The number of seconds to wait for more matching payloads before the event is pushed into the event pipeline. The default is 10 seconds.

    Retain Entire Lines during Event Aggregation

    This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to id-Linked.

    If you set the Aggregation Method parameter to ID-Linked, you can enable Retain Entire Lines during Event Aggregation to discard or keep the part of the events that comes before Message ID Pattern when concatenating events with the same ID pattern together.

    Flatten Multiline Events Into Single Line

    This parameter is available when Enable Multiline is turned on.

    Shows an event in one single line or multiple lines.

    Event Formatter

    This parameter is available when Enable Multiline is turned on.

    Use the Windows Multiline option for multiline events that are formatted specifically for Windows.

  6. Click Save.

Creating a TLS Log Source Destination for Managed Agents

Create a TLS destination if you want to send encrypted events to JSA appliances. For any existing log sources that are using WinCollect you must ensure that they use the TLS destination you created so that the events are encrypted.

  1. Click the Admin tab.
  2. Create a TLS log source destination.
    1. Click Data Sources > WinCollect.
    2. In the WinCollect window, click Destinations > Add.
    3. Give the destination a name, and specify the IP address or hostname of the console.
    4. In the Protocol menu, select TCP/TLS (Encrypted).
    5. Paste the certificate, including the BEGIN and END lines.

      Find the self-signed certificate in /opt/qradar/conf/trusted_certificates/syslog-tls.cert.

    6. Click Save.
  3. Create a TLS Syslog log source where the log source type is Universal DSM and the protocol type is TLS Syslog.