Question & Answer
Question
How is the Source IP or Destination IP determined whether it is not available in the Payload Information of an Event?
Cause
The event source sends an event to QRadar that does not contain a source or destination IP address, such as an SSH login event. This event type contains only a source IP address and no destination IP address.
- Example:
<83>Jul 8 16:10:08 10.10.10.10 sshd[1004]: error: PAM: Authentication failure for user1 from 10.10.10.20
Answer
When QRadar receives and processes event data, it must assign an IP address to the Source IP and Destination IP fields. QRadar looks in the following locations to determine the IP address to use, in the following order:
Example:
In the example above, there is a Cisco PIX firewall event. Not shown here, the source IP of this packet is that of a central Syslog server. The central Syslog server has an IP address of 10.10.10.5. QRadar uses the source IP of the packet to first set both the Source IP and Destination IP fields to 10.10.10.5.
Cisco PIX firewall messages do not normally include standard Syslog headers, however, the administrator of the Syslog server configured the server to prepend a new Syslog header to the event. The administrator of the centralized syslog server set the hostname field of the prepended Syslog header as the IP address of the Cisco PIX firewall. This is seen in the above example as 10.10.10.2. As the Syslog header is available, and does contain an IP address in the hostname field, QRadar now sets the Source IP and Destination IP fields to this IP address.
QRadar then parses any IP address fields from the Payload Information of the event, if present. In the above example, we can see that the source IP is 10.10.10.113. It can also be seen in the above example that the destination address is <PUBLIC IP ADDRESS>; most likely a remote web server in this case.
Note: Configure the Log Sources to include a complete, properly formatted, Syslog header that includes an IP address, rather than a text-based hostname.
- IP address fields in Payload Information
The availability of more detailed IP address information depends on each Log Source Type, including the events themselves, as not all events contain IP address fields. If the source IP address is available, the Source IP field is updated with this information. If source IP information is not available, then it uses an IP as outlined in one of the next 2 options in this list. The same is true of destination IP information. If destination information is not available, then it remains set as either the Syslog hostname field, if an IP was available, else it remains set as the source of the packet.
- The hostname field in the Syslog header
QRadar looks for an IP address in the hostname field of the Syslog header, if available.
Note: Not all Syslog sources use proper headers.
If an IP address is found, the Source IP and Destination IP fields are updated with this IP address. If the hostname field contains a textual hostname, then it is not used. QRadar does not do a DNS lookup on a hostname, as it would take too much time to do for every event, and would affect pipeline throughput capacity.
- The source IP address of the packet the event came from, when received by QRadar
The Source IP and Destination IP fields are set to the source IP address of the packet itself. This device is the one that sent the data to QRadar. If you are using an existing, centralized Syslog server to forward events to QRadar, you might often see the IP address of the Syslog server in the Source IP and Destination IP fields.
The best ways to avoid this issue are to do one of the following:
- Set the Log Source device to send Syslog directly to QRadar.
- Preserve the initial Syslog headers, and have the originating devices configured to send an IP address in the hostname filed of the Syslog header.
- Reconfigure your Syslog server to prepend a new Syslog header to the events it forwards to QRadar, with the originating devices IP address in the hostname header field.
Example:
<182>Dec 15 10:56:58 10.10.10.2 - Aug 15 2015 10:56:57: %PIX-5-304001: 10.10.10.113 Accessed URL <PUBLIC IP ADDRESS>:/rss20.xmlIn the example above, there is a Cisco PIX firewall event. Not shown here, the source IP of this packet is that of a central Syslog server. The central Syslog server has an IP address of 10.10.10.5. QRadar uses the source IP of the packet to first set both the Source IP and Destination IP fields to 10.10.10.5.
Cisco PIX firewall messages do not normally include standard Syslog headers, however, the administrator of the Syslog server configured the server to prepend a new Syslog header to the event. The administrator of the centralized syslog server set the hostname field of the prepended Syslog header as the IP address of the Cisco PIX firewall. This is seen in the above example as 10.10.10.2. As the Syslog header is available, and does contain an IP address in the hostname field, QRadar now sets the Source IP and Destination IP fields to this IP address.
QRadar then parses any IP address fields from the Payload Information of the event, if present. In the above example, we can see that the source IP is 10.10.10.113. It can also be seen in the above example that the destination address is <PUBLIC IP ADDRESS>; most likely a remote web server in this case.
Note: Configure the Log Sources to include a complete, properly formatted, Syslog header that includes an IP address, rather than a text-based hostname.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.3;7.4.0;7.4.1;7.4.2;7.4.3;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
25 October 2022
UID
swg21622450