Generate Demo Log Events for QRadar CE 7.3.1

In my previous blog, we installed QRadar Community Edition (QCE) 7.3.1 on CentOS 7.5 server step-by-step but there’s no logs, flows and offenses.



As a next step, we need to bring in log events into QRadar in order to
1)             Understand its working
2)             Demonstrate security scenarios and QRadar’s working
3)             Test custom/pre-built rules

In this blog, we’ll generate some logs. To do so we need two items –
1)             logrun.pl tool to generate the events
2)             Sample log files

Jose Bravo is an IBM Expert in QRadar SIEM. He has shared lots of great videos on his youTube channel https://www.youtube.com/user/jbravovideos . We’ll use some of his resources from here - https://ibm.ent.box.com/s/ich0yyiw54y0ek6s9a66xvtjku8e42rc. Let’s download demo.zip file.


Let’s copy the file in QRadar machine using FileZilla in “/store” folder.


Now, connect to QRadar server and unzip the demo.zip file.


It creates a folder named demo. In this folder, there are many good quality logs and scripts structured into many sub-folders. Let’s explore 'labfiles’ sub folder.


We’ll use the file ‘run_cases.sh’ to generate our set of log events. This bash script file comprises of many ‘logrun.pl’ commands as you can see in below snapshot.



Each logrun.pl command is generating logs related to the assigned syslog file. There are many syslog files are provided here. If you open any syslog file, you would be able to see the logs. You can bring in your syslog files if you have.


In ‘labfiles’ folder we can see a logrun.pl file but QRadar comes with its own version of logrun.pl file kept in ‘/opt/qradar/bin’ folder so we need not to download it from anywhere. Below snapshot shows the syntax and available options that can be used with logrun.pl tool.


Let’s run run_cases.sh file and see the outcome, in terms of how many logs are generated by each command.


Once the logs started generating successfully, we can open the QRadar portal and switch to “Log Activity” tab to see if logs are coming there. As you can see from below snapshot, ~43 events per second are getting received. This can be more or less.


Once we have sufficient logs, you can switch to “Offenses” tab. Now I can see the first set of identified offenses coming in. They are of various types like Malware, multiple login failures, DDoS etc.


However, we generated these logs thru command line but we may not have access to QRadar system every time and there is better way to do the same thru UI. Let’s see how that can be done.
File “ip_context_menu.xml” in “/opt/qradar/conf” folder needs to be updated. To add the entry for a script file we would need to add one line in “<contextMenu> … </contextMenu>”.


Once the file is updated and saved, we need to restart the Web Server from Advanced menu of Admin section, as shown below.


Once the web server restarted, you can login again and go to “offenses” tab. Now, just right-click on any offence and click on your entry from “Plugin options..”. This will run your file (run_cases.sh) and you can see new logs coming in. 



Comments

  1. installed_application-ContentExport-20171219103723.zip is missing

    ReplyDelete
  2. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.
    NFFI

    ReplyDelete
  3. first...thnx for this blog, great job! But its not working for me...i cant see logs nor offenses :-( did everything from steps above...

    ReplyDelete
    Replies
    1. if you are using the community edition please update the license and you will see events and flows

      Delete
  4. Great tutorial, but cannot find demo.zip in that box

    ReplyDelete
  5. the demo.zip is located under the Qradar demo files folder

    ReplyDelete
  6. Great post, thank you very much

    ReplyDelete
  7. Hi, I want to express my gratitude to you for sharing this fascinating information. It's wonderful that we now have the ability to share our thoughts. through blogs and internet services, I felt the same way, keep sharing more posts on this side with us in the future.
    visit site

    ReplyDelete
  8. Hi, I want to express my gratitude to you for sharing this fascinating information. It's wonderful that we now have the ability to share our thoughts. through blogs and internet services, I felt the same way, keep sharing more posts on this side with us in the future.
    Outlook bellen nederland

    ReplyDelete
  9. I am looking for this kind of post from last many days thanks for sharing it with us. Luxury Packaging boxes

    ReplyDelete
  10. Betway Casino No Deposit Bonus Codes 2021 - Dr.
    If you are looking to try out the 충주 출장안마 new Betway Casino no deposit bonus, This is a 군포 출장마사지 good 강원도 출장안마 thing for most casino players that try 군산 출장안마 to find the best sites 강원도 출장샵

    ReplyDelete
  11. lab test near me

    Best medical pathology laboratory For blood test allergy drug allergy & rt pcr test near Ahmedabad Area's and in Ahmedabad.

    to get more - https://endocrineallergy.com/

    ReplyDelete
  12. Fantastic resource! Demo.zip is in Migrating QRadar Demos
    Thank you

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  13. The personnel was highly proficient and well-mannered. My test results arrived on time, and the lab was spotless and well-run.
    best pathology lab near me

    ReplyDelete
  14. I'm impressed by Immuno Diagnostics' efficiency and professionalism; they're my first pick.
    Pathology Lab Near Me

    ReplyDelete

Post a Comment

Popular posts from this blog

Steps to setup QRadar CE 7.3.1 on CentOS 7.5 Server