Thank you Alessandro, maybe you could share the DSM with Q1munnity, I have asked question there on ossec.
In that way we could attract vendor's attention and review, and maybe even incorporate your work into distribution for forther development. Thank you, vilius On Tue, Oct 23, 2012 at 7:51 PM, Alessandro Di Giuseppe < [email protected]> wrote: > Hi Vilius, > > We've integrated OSSEC with our Q1Labs QRadar with limited success. > > Basically, we use the native QRadar ALE Agent on Windows, and native > syslog on Linux to forward events to the Qradar SIEM; as well as forwarding > category 10+ alerts from our OSSEC server to Qradar - this is mainly to > capture file integrity and other system changes not apparent through > forwarding system events alone. > > We've written a custom Log Source Extension for QRadar to parse the > essential fields (hostname, Source/Destination IP, etc.) from OSSEC events, > but for some reason we cannot extract all fields we'd expected. In some > cases, we can do custom extractions on QRadar events to tease-out > additional details from OSSEC events, but this is sub-optimal because > custom extractions are not indexed and therefore less search-friendly than > natively parsed data fields. > > In my experience, because of the way OSSEC normalizes the events, I think > you would lose some details you would otherwise get from events sent from > QRadar's ALE or WinCollect agent and having the built-in Qradar Windows DSM > (parser) interpret the events. > > In other words, it's probably best you use Q1s' agent to forward events > from Windows hosts to Qradar, and not use OSSEC as a middle-man. > > Your mileage may vary... > > P.S. I'd be glad to share our custome log extension for OSSEC if you would > like to try it. > > Alessandro > > ------------------------------ > *From:* Vilius <[email protected]> > *To:* ossec-list <[email protected]> > *Sent:* Tuesday, October 23, 2012 7:44:39 AM > *Subject:* [ossec-list] OSSEC and Q1Labs QRadar integration > > Hey, > > anyone has any experience in OSSEC and Q1Labs integration? > > for example: > - does it integrate via syslog, or better via other method? > - does Q1Labs standard parsers and normalisers understand Windows > Event logs delivered via Ossec, or some tweeking is needed? > - is there any parsers written for OSSEC specific alarms/alerts? > > Thanks for any experiences, > Vilius > > > -- /Vilius
