Based on our QRadar LSX/uDSM development experience, we have singled out three basic implementation scenarios:
1) Supporting Syslog or plain-text log sources
Typical implementation scenario for Syslog or plain-text based devices requires one to two days of development at a very minimum and includes the following steps:
- audit data structure investigation;
- creation of parsing rules;
- mapping custom events to QRadar categories;
- testing;
- creation of custom reports and correlation rules.
This is the simplest but not the most common scenario. The amount of development efforts often depends on the number of unique event types for a particular device. Your work consists mostly of applying regular expressions and assigning QIDs (mapping).
2) Supporting log sources by means of existing collect protocols
Another implementation scenario makes use of an existing collect protocol (i.e. JDBC) that requires additional pre-configuration steps. In case of a database, in addition on typical implementation steps mentioned above you will have to investigate the database structure and create views to combine all required data. Sometimes it might be also necessary to create shell/batch wrapper scripts.
3) Supporting a log source with an unsupported protocol
The most complicated scenario is related to supporting a new device with an unsupported protocol. This includes application-specific binary log files, access via API, multiline logs, or database without a JDBC access option (e.g. Paradox or Lotus). This scenario dramatically increases the amount of required efforts due to the following activities in addition to Scenario 1:
- investigation of the target platform; you need to find out how to configure the audit, where the audit information is stored, what is the format of the audit data and how you can extract it;
- investigation of third-party or application-specific tools to access audit information (the worst case is when you have to create your own extraction tool using application-specific languages, like in the case of 1C, a business application suite widely popular in Russian-speaking countries;
- creation of shell/batch wrapper scripts to extract data on a recurrent basis without duplicates and data loss;
- configuration of an applicable QRadar protocol to feed data to QRadar.
