Simple steps on Configuring ISIM as a Log Source for Qradar:
For configuring ISIM as a Log Source we have to create two log sources:
1. For Connecting to ISIM DB (All Transactions performed on ISIM)
2. For Getting the ISIM DB Audit Logs(Transactions Performed on the ISIM DB).
ISIM Based Event Configuration:
Network Related configurations:
1. Make sure the DB2 port is open to the Qradar Machine
Configurations on Qradar:
1. Create a Log source for ISIM in Qradar.
2. Provide the below values for the Log source.
Log source Name: (Provide a Name for the Log source)
Log Source Description: (Provide a Description of the Log source)
Log souce Type: Select the option IBM Security Identity Manager.
Protocol Type: IBM Security identity manager JDBC
Log Source Identifier: (Name of DB)@(ip/Hostname of the DB machine)
DataBase Type : DB2
Database Name : (Name of the ISIM DB)
IP or Hostname: (IP/Hostname of the Database)
Port : (Port of DB2)
User name : (Provide the user name for connecting to Qradar)
Password : (Provide the password for the Username used to connect to DB)
Confirm Password : (Provide the password for the Username used to connect to DB)
Table Name : ISIMDB.AUDIT_EVENT
Select List : *
Compare Field : TIMESTAMP
Start Date: (Provide a Start date for the Qradar to read the events from DB, format is yyyy-mm-dd hh:mm)
Polling Interval : 30
EPS Throttle : 1000
Enabled : Check the box
Credibility : 5
Target Event Collector : (Select the first option in the dropdown, Mostly only one option is available)
Coaliscing Events : Check th box
Store Event Payload : Check the box
Log Source Extension : Leave as it is
Extension Use Condition : Leave as it is
3. Save the Log source.
Configuring ISIM Audit Events in Qradar:
Network Based Configurations:
1. Make sure port 22 for ftp/SFTP is open for Qradar to fetch the audit log file.
ISIM DB Based Configurations:
1. Login to DB2 server and switch user to DB instance owner
2. Run below command to configure a path for audit logs
db2audit configure datapath /data/itimdb/sqllib/security/auditdata/
3. Connect to DB
db2 connect to isimdb
4. Create audit policy on the database with category ‘execute’ to pick SQL statements executed
db2 create audit policy db_policy categories execute with data status both error type audit
db2 audit database using policy db_policy
db2 commit
5. Restart db2audit utility
db2audit stop
db2audit start
6. Execute below command to flush out audit log
db2audit flush
7. Extract the audit logs
db2audit archive database itimdb
8. Extract the logs to a readable format
db2audit extract from files <filename generated in step 7>
9. Create a Cronjob for the steps from 6 to 8 to be executed every one hour for the audit log to be generated.
Qradar side configurations:
1. Log in to QRadar.
2. Click the Admin tab.
3. Click the Log Sources icon.
4. Click Add.
5. In the Log Source Name field, type a name for the log source.
6. In the Log Source Description field, type a description for the log source.
7. From the Log Source Type list, select IBM DB2.
8. From the Protocol Configuration list, select Log File.
9. Provide the values as below:
Log Source Identifier : (IP/ Hostname of the DB2 Machine)
Service Type : FTP/SCP
Remote IP or Hostname : (IP/Hostname of DB2 machine)
Remote Port : 22
Remote User : Username of the user to connect to the db2 machine
Remote Password : Password of the user for connecting to db2 machine
Confirm Password : Password of the user for connecting to db2 machine
SSH Key file : (Only if you are using sftp if not leave it blank)
Remote Directory : Path of the directory in db2 machine where the log file is present
Recursive : (Only if you are using sftp if not leave it blank)
FTP File Pattern : .*.log
FTP Transfer Mode : ASCII
Start time : 12:10
Recurrence : 1H
Run On Save : check the box
EPS Throttle : 100
Processor : From the list, select None.
Ignore Previously Processed File(s): Select this check box
Change Local Directory: Do not select the check box
Event Generator : From the Event Generator list, select LineByLine.
10. Click Save.
For configuring ISIM as a Log Source we have to create two log sources:
1. For Connecting to ISIM DB (All Transactions performed on ISIM)
2. For Getting the ISIM DB Audit Logs(Transactions Performed on the ISIM DB).
ISIM Based Event Configuration:
Network Related configurations:
1. Make sure the DB2 port is open to the Qradar Machine
Configurations on Qradar:
1. Create a Log source for ISIM in Qradar.
2. Provide the below values for the Log source.
Log source Name: (Provide a Name for the Log source)
Log Source Description: (Provide a Description of the Log source)
Log souce Type: Select the option IBM Security Identity Manager.
Protocol Type: IBM Security identity manager JDBC
Log Source Identifier: (Name of DB)@(ip/Hostname of the DB machine)
DataBase Type : DB2
Database Name : (Name of the ISIM DB)
IP or Hostname: (IP/Hostname of the Database)
Port : (Port of DB2)
User name : (Provide the user name for connecting to Qradar)
Password : (Provide the password for the Username used to connect to DB)
Confirm Password : (Provide the password for the Username used to connect to DB)
Table Name : ISIMDB.AUDIT_EVENT
Select List : *
Compare Field : TIMESTAMP
Start Date: (Provide a Start date for the Qradar to read the events from DB, format is yyyy-mm-dd hh:mm)
Polling Interval : 30
EPS Throttle : 1000
Enabled : Check the box
Credibility : 5
Target Event Collector : (Select the first option in the dropdown, Mostly only one option is available)
Coaliscing Events : Check th box
Store Event Payload : Check the box
Log Source Extension : Leave as it is
Extension Use Condition : Leave as it is
3. Save the Log source.
Configuring ISIM Audit Events in Qradar:
Network Based Configurations:
1. Make sure port 22 for ftp/SFTP is open for Qradar to fetch the audit log file.
ISIM DB Based Configurations:
1. Login to DB2 server and switch user to DB instance owner
2. Run below command to configure a path for audit logs
db2audit configure datapath /data/itimdb/sqllib/security/auditdata/
3. Connect to DB
db2 connect to isimdb
4. Create audit policy on the database with category ‘execute’ to pick SQL statements executed
db2 create audit policy db_policy categories execute with data status both error type audit
db2 audit database using policy db_policy
db2 commit
5. Restart db2audit utility
db2audit stop
db2audit start
6. Execute below command to flush out audit log
db2audit flush
7. Extract the audit logs
db2audit archive database itimdb
8. Extract the logs to a readable format
db2audit extract from files <filename generated in step 7>
9. Create a Cronjob for the steps from 6 to 8 to be executed every one hour for the audit log to be generated.
Qradar side configurations:
1. Log in to QRadar.
2. Click the Admin tab.
3. Click the Log Sources icon.
4. Click Add.
5. In the Log Source Name field, type a name for the log source.
6. In the Log Source Description field, type a description for the log source.
7. From the Log Source Type list, select IBM DB2.
8. From the Protocol Configuration list, select Log File.
9. Provide the values as below:
Log Source Identifier : (IP/ Hostname of the DB2 Machine)
Service Type : FTP/SCP
Remote IP or Hostname : (IP/Hostname of DB2 machine)
Remote Port : 22
Remote User : Username of the user to connect to the db2 machine
Remote Password : Password of the user for connecting to db2 machine
Confirm Password : Password of the user for connecting to db2 machine
SSH Key file : (Only if you are using sftp if not leave it blank)
Remote Directory : Path of the directory in db2 machine where the log file is present
Recursive : (Only if you are using sftp if not leave it blank)
FTP File Pattern : .*.log
FTP Transfer Mode : ASCII
Start time : 12:10
Recurrence : 1H
Run On Save : check the box
EPS Throttle : 100
Processor : From the list, select None.
Ignore Previously Processed File(s): Select this check box
Change Local Directory: Do not select the check box
Event Generator : From the Event Generator list, select LineByLine.
10. Click Save.
