Generate Demo Log Events for QRadar CE 7.3.1

In my previous blog, we installed QRadar Community Edition (QCE) 7.3.1 on CentOS 7.5 server step-by-step but there’s no logs, flows and offenses.

As a next step, we need to bring in log events into QRadar in order to –

1)             Understand its working

2)             Demonstrate security scenarios and QRadar’s working

3)             Test custom/pre-built rules

In this blog, we’ll generate some logs. To do so we need two items –

1)             logrun.pl tool to generate the events

2)             Sample log files

Jose Bravo is an IBM Expert in QRadar SIEM. He has shared lots of great videos on his youTube channel https://www.youtube.com/user/jbravovideos . We’ll use some of his resources from here - https://ibm.ent.box.com/s/ich0yyiw54y0ek6s9a66xvtjku8e42rc. Let’s download demo.zip file.

Let’s copy the file in QRadar machine using FileZilla in “/store” folder.

Now, connect to QRadar server and unzip the demo.zip file.

It creates a folder named demo. In this folder, there are many good quality logs and scripts structured into many sub-folders. Let’s explore 'labfiles’ sub folder.

We’ll use the file ‘run_cases.sh’ to generate our set of log events. This bash script file comprises of many ‘logrun.pl’ commands as you can see in below snapshot.

Each logrun.pl command is generating logs related to the assigned syslog file. There are many syslog files are provided here. If you open any syslog file, you would be able to see the logs. You can bring in your syslog files if you have.

In ‘labfiles’ folder we can see a logrun.pl file but QRadar comes with its own version of logrun.pl file kept in ‘/opt/qradar/bin’ folder so we need not to download it from anywhere. Below snapshot shows the syntax and available options that can be used with logrun.pl tool.

Let’s run run_cases.sh file and see the outcome, in terms of how many logs are generated by each command.

Once the logs started generating successfully, we can open the QRadar portal and switch to “Log Activity” tab to see if logs are coming there. As you can see from below snapshot, ~43 events per second are getting received. This can be more or less.

Once we have sufficient logs, you can switch to “Offenses” tab. Now I can see the first set of identified offenses coming in. They are of various types like Malware, multiple login failures, DDoS etc.

However, we generated these logs thru command line but we may not have access to QRadar system every time and there is better way to do the same thru UI. Let’s see how that can be done.

File “ip_context_menu.xml” in “/opt/qradar/conf” folder needs to be updated. To add the entry for a script file we would need to add one line in “<contextMenu> … </contextMenu>”.

Once the file is updated and saved, we need to restart the Web Server from Advanced menu of Admin section, as shown below.

Once the web server restarted, you can login again and go to “offenses” tab. Now, just right-click on any offence and click on your entry from “Plugin options..”. This will run your file (run_cases.sh) and you can see new logs coming in.