Skip to content

00gxd14g/QRadar_Log_Forwarding

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

164 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

QRadar Log Forwarding Setup

QRadar Linux Bash Python CI/CD Docker Build Status

An enterprise-grade, production-ready solution for configuring Linux systems to forward audit logs to IBM QRadar SIEM.

🚀 Features

  • Universal Linux Support: Compatible with Debian/Ubuntu, RHEL/CentOS, Oracle Linux, AlmaLinux, and Rocky Linux
  • Intelligent Distribution Detection: Automatically detects and adapts to different Linux distributions and versions
  • Advanced Log Filtering: Filters out noisy and irrelevant logs to reduce QRadar EPS.
  • Rich JSON Log Format: Enriches logs with additional metadata and formats them as JSON for easy parsing in QRadar.
  • Command Concatenation: Advanced Python script that concatenates EXECVE command arguments for better SIEM parsing
  • RHEL Compatibility: Enhanced RHEL 7/8/9 support with platform-specific service management
  • SELinux & Firewall Integration: Automatic configuration for RHEL-based systems
  • Robust Error Handling: Comprehensive logging, backup creation, and diagnostic functions
  • Production Ready: Designed for enterprise environments with proper error handling and recovery

📋 Prerequisites

System Requirements

  • Root Access: Must be run with sudo/root privileges
  • Supported Operating Systems:
    • Debian (9, 10, 11, 12)
    • Ubuntu (18.04, 20.04, 22.04, 24.04)
    • Kali Linux (current)
    • RHEL/CentOS (7, 8, 9)
    • Oracle Linux (7, 8, 9)
    • AlmaLinux (8, 9)
    • Rocky Linux (8, 9)

Network Requirements

  • QRadar Connectivity: System must be able to reach QRadar server on specified IP and port
  • Default Port: TCP 514 (syslog), but configurable
  • Firewall: Script automatically configures firewalld on RHEL-based systems

Package Dependencies

The script automatically installs required packages:

  • auditd - Linux audit framework
  • audispd-plugins - Audit dispatcher plugins (Debian/Ubuntu)
  • rsyslog - System logging daemon
  • python3 - Required for command concatenation script

🛠️ Installation & Usage

Quick Start

  1. Download the latest release:

    # Option 1: Clone the repository
    git clone https://github.com/00gxd14g/QRadar_Log_Forwarding.git
    cd QRadar_Log_Forwarding
    
    # Option 2: Download latest release
    wget https://github.com/00gxd14g/QRadar_Log_Forwarding/releases/latest/download/qradar_universal_installer.sh
    chmod +x qradar_universal_installer.sh
  2. Run the universal installer:

    sudo ./src/installers/universal/qradar_universal_installer.sh <QRADAR_IP> <QRADAR_PORT>

Example Usage

# Configure for QRadar at 192.168.1.100 on port 514
sudo ./src/installers/universal/qradar_universal_installer.sh 192.168.1.100 514

Command Line Arguments

Parameter Description Example
QRADAR_IP IP address of your QRadar server 192.168.1.100
QRADAR_PORT Port number for log forwarding 514
--minimal Use minimal audit rules for low EPS Optional
--dry-run Test mode without system modifications Optional

🧪 Testing

Automated CI/CD

This project includes comprehensive automated testing via GitHub Actions:

  • Syntax Validation: All shell scripts and Python code
  • Docker Integration Tests: Multi-platform installer testing
  • Configuration Validation: Rsyslog and audit rule verification
  • Artifact Generation: Automated release preparation

Manual Testing

# Run all Docker tests
cd tests/docker
./run_tests.sh

# Test specific platform
docker build -f tests/docker/Dockerfile.ubuntu -t qradar-ubuntu-test .
docker run --rm qradar-ubuntu-test

# Syntax check
find . -name "*.sh" -type f | xargs shellcheck

Test Coverage

  • ✅ Ubuntu 24.04 installer
  • ✅ Debian 12 installer
  • ✅ RHEL/Rocky Linux 9 installer
  • ✅ Universal installer
  • ✅ Python parser scripts
  • ✅ Configuration file validation

🔧 For more details, see the documentation.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Packages

 
 
 

Contributors