Step 2. Sending a set of events to QRadar

On this step, you must send two sets of events to QRadar so that QRadar will automatically add two new log sources—one for verification and the other for events from Kaspersky CyberTrace Service.

To add new log sources:

  1. Send the verification test log file.

    Send the verification/kl_verification_test_leef.txt file to QRadar, as described in the procedure in subsection "Sending a set of events" below.

    After you send the verification test file, QRadar will contain the KL_Verification_Tool log source.

  2. Send the sample log file.

    For testing and final adjustments of integration with QRadar, send the integration/qradar/sample_initiallog.txt sample log file to QRadar, as described in the procedure in subsection "Sending a set of events" below.

    After you send the sample log file, QRadar will contain the KL_Feed_Service_v2 log source.

    Up to 25 events can be missed after a new log source is added, according to the QRadar documentation. So you may have to send sample_initiallog.txt several times. This ensures that some events will be displayed by QRadar and handled by Kaspersky CyberTrace Service.

Sending a set of events

To send events to QRadar:

  1. In the Connection element of the Log Scanner configuration file, specify the IPv4 address and port of your QRadar server (usually it is 514).
  2. Invoke the following command from the Log Scanner directory.

    In Linux:

    ./log_scanner -p <log_file> [-p <log_file2> ...]

    In Windows:

    log_scanner.exe -p <log_file> [-p <log_file2> ...]

    <log_file>, <log_file2> are log files to send. Alternatively, you can specify a directory containing log files to send.

  3. In QRadar Console (which is the web interface for QRadar), select Admin > Log Sources.

    A new log source of the Kaspersky CyberTrace type appears in the log sources list.

  4. In the settings form of the new log source, clear the Coalescing Events check box and click Save.

    Edit a log source window in QRadar.

    Editing a log source

  5. If necessary, deploy the changes by selecting the Admin > Deploy Changes menu item in QRadar Console.

If the events are not received by the 514 port of the QRadar server, run the following commands from the host with QRadar installed.

Run the command for QRadar console and wait for 5 minutes:

/opt/qradar/support/all_servers.sh -Ck 'if [ -f /opt/qradar/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ; fi ; if [ -f /usr/eventgnosis/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr/eventgnosis/ecs/license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi'

Run the command for QRadar Community Edition and wait for 5 minutes:

if [ -f /opt/qradar/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ; fi ; if [ -f /usr/eventgnosis/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr/eventgnosis/ecs/license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi

Page top