Hi Vilius, We've integrated OSSEC with our Q1Labs QRadar with limited success.
Basically, we use the native QRadar ALE Agent on Windows, and native syslog on Linux to forward events to the Qradar SIEM; as well as forwarding category 10+ alerts from our OSSEC server to Qradar - this is mainly to capture file integrity and other system changes not apparent through forwarding system events alone. We've written a custom Log Source Extension for QRadar to parse the essential fields (hostname, Source/Destination IP, etc.) from OSSEC events, but for some reason we cannot extract all fields we'd expected. In some cases, we can do custom extractions on QRadar events to tease-out additional details from OSSEC events, but this is sub-optimal because custom extractions are not indexed and therefore less search-friendly than natively parsed data fields. In my experience, because of the way OSSEC normalizes the events, I think you would lose some details you would otherwise get from events sent from QRadar's ALE or WinCollect agent and having the built-in Qradar Windows DSM (parser) interpret the events. In other words, it's probably best you use Q1s' agent to forward events from Windows hosts to Qradar, and not use OSSEC as a middle-man. Your mileage may vary... P.S. I'd be glad to share our custome log extension for OSSEC if you would like to try it. Alessandro ________________________________ From: Vilius <[email protected]> To: ossec-list <[email protected]> Sent: Tuesday, October 23, 2012 7:44:39 AM Subject: [ossec-list] OSSEC and Q1Labs QRadar integration Hey, anyone has any experience in OSSEC and Q1Labs integration? for example: - does it integrate via syslog, or better via other method? - does Q1Labs standard parsers and normalisers understand Windows Event logs delivered via Ossec, or some tweeking is needed? - is there any parsers written for OSSEC specific alarms/alerts? Thanks for any experiences, Vilius
