IBM QRadar: How to Modify Your QRadar Network Settings

You can change your QRadar network settings by running the QRadar qchange_netsetup script.

Some make the mistake of changing the network settings (such as IP address, hostname, and DNS settings) directly on the QRadar operating system – which runs on a custom RedHat Enterprise Linux distribution.

Here are the steps needed to change your QRadar network configuration.

NOTE: There will be some server down time involved since the script will stop all QRadar services and initiate a server reboot. Also note that the procedure should be done on the physical server terminal/console, and not through a remote SSH session.

1. Open the QRadar terminal (It should be directly on the server and not through SSH).

2. Run the following command: # qchange_netsetup

3. Read the terms and press Y and enter to continue

4. Wait for the services to automatically stop

5. Change the network configuration as necessary

6. Select Finish and wait for the server to reboot.

QRadar will use the new network settings after rebooting.

RSA enVision: How to Extract Unknown or Unparsed Logs

To extract unknown or unparsed logs for an unknown device in RSA enVision, you can run the following at the command prompt of the D-Srv:

%_ENVISION%binlsdata.exe -events syslog -devices unknown:<ip_address> -time <starttime> <endtime> > <outputfile>

For example, if you have an unknown device with IP address 10.10.10.5 and you want to extract 2 days worth of logs and store it in a file called unknown_logs.unx on the root of Drive E:, then you can run the following at the command prompt:

%_ENVISION%binlsdata.exe -events syslog -devices unknown:10.10.10.5 -time -2D end > e:unknown_logs.unx

The resulting unknown_logs.unx file will contain the unknown log messages (in syslog format) that were collected by enVision.

You can then use this output logfile to develop the enVision event log parser for this device.

CA Audit – How to add an audit node group

In CA Audit,  formerly eTrust Audit, you can group your audit nodes (or audit clients) into logical groups depending on the audit events that are to be monitored.

You can also group audit nodes based on geographical and physical location, workgroup or domain, and you can also group them based on the audit recorder (iRecorder) agent.

Some of the common iRecorder agents are the Windows NT Log iRecorder, Microsoft ISA iRecorder, and the Microsoft Exchange iRecorder.

The following steps show how to add an audit node group to CA Audit:

1. Open the CA Audit Policy Manager and click on “Audit Nodes”

slide6

2. To add a new group, right-click on “Targets” and select “New Group”.

slide4

3. Configure the group name. Key in the desired name for the Audit Node (AN) group. You can optionally add a short description for the AN group. Click “OK” to save and close. The newly created AN group will be added to the “Targets” list.

slide5

slide6

4. Associate an Audit Node (AN) Type to the newly created group.

slide7

slide8