tag:blogger.com,1999:blog-7303400454979750101.post2823636008771218434..comments2024-03-28T06:49:56.390-07:00Comments on Learning by practicing: Spoofing/Replaying A QRadar Log SourceNik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.comBlogger34125tag:blogger.com,1999:blog-7303400454979750101.post-8342599647074053482022-06-22T11:01:08.713-07:002022-06-22T11:01:08.713-07:00Log Run Dependencies
yum install perl
yum instal...Log Run Dependencies<br /> yum install perl<br /> yum install perl-DateTime-Format-DateParse<br /> Copy folder and content of qradar #/opt/qradar/lib/perl to VM #/opt/qradar/lib/perl<br />Copy /opt/qradar/bin/logrun.pl to VM# /opt/qradar/bin/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-29911602153423248542020-03-23T08:29:11.480-07:002020-03-23T08:29:11.480-07:00Gramy,
Thanks for sticking with this and ultimatel...Gramy,<br />Thanks for sticking with this and ultimately providing the guidance to your fellow readers. Much appreciated!Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-43082489753611852972020-03-23T08:24:25.563-07:002020-03-23T08:24:25.563-07:00Here's how to deport Logrun to a Redhat or Cen...Here's how to deport Logrun to a Redhat or CentOs machine:<br /><br />Prerequisites:<br /><br />- Perl installed<br />- Date:Format.pm (Perl module) installed<br /><br />Copy the Logrun.pl and Logreplay.pl scripts into the /opt/qradar/bin directory you created beforehand.<br />You will be able to deport your log replay this way.<br />I even advise to have a collector event dedicated to your log replay. Gramyhttps://www.blogger.com/profile/07646605467295968736noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-69123473917246462332020-02-11T08:11:55.717-08:002020-02-11T08:11:55.717-08:00For it to be assigned automatically, you will need...For it to be assigned automatically, you will need to ensure the type is one that QRadar recognizes by default.Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-24206131638641751382020-02-10T23:01:37.896-08:002020-02-10T23:01:37.896-08:00Hi
I am able to inject logs to Qradar.All my rul...Hi <br /><br />I am able to inject logs to Qradar.All my rules are written based on log source type.How can i assign these replay logs to its corresponding log source type automatically so that i can utilise this to test my usecases.<br /><br />Thanks in Advance<br /><br />thanks in advanceunknownbwoihttps://www.blogger.com/profile/12166980893611028507noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-68967823364596889402020-02-10T06:25:33.504-08:002020-02-10T06:25:33.504-08:00Glad to hear and thanks for the feedback. Much app...Glad to hear and thanks for the feedback. Much appreciated!!Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-28562327219368531482020-02-10T01:04:41.665-08:002020-02-10T01:04:41.665-08:00Finaly it's working fine.
The only problem enc...Finaly it's working fine.<br />The only problem encountered is the sending of the logs in TCP which brings me back an error (I'm still looking for the cause).<br />So I confirm that it is possible to deport the Logrun.pl script on a remote CentOS and forward the logs to QRadar.Gramyhttps://www.blogger.com/profile/07646605467295968736noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-45258415882002057082020-01-27T01:27:49.360-08:002020-01-27T01:27:49.360-08:00Thanks for your reply.
I've tested it, but it ...Thanks for your reply.<br />I've tested it, but it doesn't seem that simple. <br />Indeed there seems to be a lot of dependencies and different environment variables.<br />I copied the /opt/qradar/lib/perl and /opt/qradar/lib/logrun.pl folders but, even if I don't get an error at the prompt and the -v option when I run the logrun.pl script lists my log file, I don't get anything on the Qradar console. <br />I will continue to work on this and keep you informed if there is any evolution.<br />Thanks to youGramyhttps://www.blogger.com/profile/07646605467295968736noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-11451806161333591102020-01-27T01:27:01.641-08:002020-01-27T01:27:01.641-08:00This comment has been removed by the author.Gramyhttps://www.blogger.com/profile/07646605467295968736noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-50665454623607298762020-01-24T06:04:47.484-08:002020-01-24T06:04:47.484-08:00Honestly, I have not looked at the code but I won&...Honestly, I have not looked at the code but I won't be surprised if you can just copy the file to the CentOS device.<br /><br />Look at the code and see if there are any dependencies that may be needed on CentOS or any calls to other local files and or processes. If there is none you may be good to go. <br /><br />I say just copy the file and see if you get any errors. If you get any you may need to work through those.<br /><br />Let me know how it goes.Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-54685444382261154942020-01-24T03:19:10.902-08:002020-01-24T03:19:10.902-08:00Hello,
Is it possible to install logrun on a cent...Hello,<br /><br />Is it possible to install logrun on a centOS to use it as a "replay logs server" and send logs to Qradar? I try to do this but I can't find logrun.pl anywway. Thanks for your helpGramyhttps://www.blogger.com/profile/07646605467295968736noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-28526630720140585952020-01-02T18:16:07.024-08:002020-01-02T18:16:07.024-08:00Yes and thanks again for the prompt response.Yes and thanks again for the prompt response.Neerajnoreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-1354666210630011662020-01-02T07:18:13.306-08:002020-01-02T07:18:13.306-08:00My suggestion is you store in anywhere. I just hap...My suggestion is you store in anywhere. I just happen to store it in my current directory that is why I used the "-f udsm_testing.txt". If your file for example is stores in "/some/folder/path/udsm_testing.txt", then your command line should look like "-f /some/folder/path/udsm_testing.txt".<br />Hope that helpsNik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-24167469313658230792020-01-01T21:42:58.615-08:002020-01-01T21:42:58.615-08:00thanks, but where so we store the udsm_testing.txt...thanks, but where so we store the udsm_testing.txt log file? neerajnoreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-6992312034609432482019-06-20T08:08:05.302-07:002019-06-20T08:08:05.302-07:00Very usefull ! Thank you ! Very usefull ! Thank you ! Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-12299048713248767422019-03-13T09:01:14.996-07:002019-03-13T09:01:14.996-07:00@John Clarke
Unfortunately I never looked back at ...@John Clarke<br />Unfortunately I never looked back at this.<br />Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-19742179661879245022019-03-13T08:57:49.877-07:002019-03-13T08:57:49.877-07:00Did you figure out exactly why this error occured?...Did you figure out exactly why this error occured? I'm having the same issue.Anonymoushttps://www.blogger.com/profile/10023574192127133851noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-54465985912485037602019-01-10T05:53:26.865-08:002019-01-10T05:53:26.865-08:00Thanks!Thanks!Anonymoushttps://www.blogger.com/profile/10268059794675062740noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-8404577354740582322019-01-10T05:53:02.762-08:002019-01-10T05:53:02.762-08:00Here you go:
https://www.securitynik.com/2016/04/q...Here you go:<br />https://www.securitynik.com/2016/04/qradar-building-your-first-universal.htmlNik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-63207253000591115552019-01-09T13:29:49.595-08:002019-01-09T13:29:49.595-08:00Could you please provide a link here?
Thanks!Could you please provide a link here?<br /><br />Thanks!Anonymoushttps://www.blogger.com/profile/10268059794675062740noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-43416890526716903482019-01-09T13:20:38.800-08:002019-01-09T13:20:38.800-08:00;-) this blog is associated with the next one whic...;-) this blog is associated with the next one which we build the Universal DSM (UDSM)<br /><br />Look into that blog to see how we get the events sorted out.Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-32428852676302820262019-01-09T13:00:45.236-08:002019-01-09T13:00:45.236-08:00It seems that none of the information from the log...It seems that none of the information from the log file is used to create the events. <br />You can see from your screenshot as well.<br />Source IP and Destination IP are both 10.0.0.200. This comes from the "-u" value.<br />username is N/A.<br />sourceport and destinationport are both 0. <br /><br />Do I need to define some kinds of template to teach QRadar to parse the log file?<br /><br />Thanks.Anonymoushttps://www.blogger.com/profile/10268059794675062740noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-6247091885942283182019-01-09T12:48:28.698-08:002019-01-09T12:48:28.698-08:00Ok, the "-t" causes this problem. I remo...Ok, the "-t" causes this problem. I removed it and then it works. Maybe the port is blocked for TCP?<br /><br />How do you spoof source port again? In your example, you put sport=12345, but your screenshot showed sourceport as 0. I got the same thing. sport in the log file does not seem to work.<br /><br />Thanks.Anonymoushttps://www.blogger.com/profile/10268059794675062740noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-35625462288688028862019-01-09T11:37:41.270-08:002019-01-09T11:37:41.270-08:00What version are you running and are you the "...What version are you running and are you the "root" user?Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-58885782093508319762019-01-09T11:24:04.051-08:002019-01-09T11:24:04.051-08:00I got this error following your example:
Can'...I got this error following your example:<br /><br />Can't call method "send" on an undefined value at /opt/qradar/lib/perl/Syslog.pm line 82, line 1.<br /><br />Did I do something wrong?<br /><br />Thanks!Anonymoushttps://www.blogger.com/profile/10268059794675062740noreply@blogger.com