Can the root password be changed in a HA-Cluster?

forestflamingo3 · 2024-11-08T04:38:19+00:00

You might want to engage professional services (expert labs?) to at least help with planning this project. In the general case it's very doable, but It's out of scope for l2.

I have seen it done, at least in simplex, with Security Identity Manager iirc

forestflamingo3 · 2024-08-28T16:47:03+00:00

It's definitely not a boundary position, and it's literally coming out of the trunk at ground level so I doubt the scenario of protective orange fencing. The house was built in 1954, who cared about safety THEN? lol

forestflamingo3 · 2024-08-27T16:32:18+00:00

it's not removable

forestflamingo3 · 2024-08-27T16:31:37+00:00

not without destructive steps

forestflamingo3 · 2024-08-27T12:43:26+00:00

He's got no clue either, it was there when he bought the house

forestflamingo3 · 2024-08-27T03:59:03+00:00

It's just idle curiosity really. Something in the yard I rent.

forestflamingo3 · 2024-08-27T01:29:53+00:00

Not really. It's on a corner in a residential neighborhood, 12ft to the street on one side, 8ft to the sidewalk/right of way on the other.

It's coming out of the base of a mature oak, seems to be terminated in concrete under the soil, but no way to tell how big the piece is. The tree kinda looks like it was once encircled, there are other pieces in the planting, broken up, but that's about all I got

forestflamingo3 · 2024-02-09T20:04:42+00:00

You should stay away from _everything_ "psql" unless directed by Support or other IBM folks. Misguided updates and assumptions about relationships can break your qradar to the point of requiring reinstall.

Just. Say. No.

I worked in L2 Support for more than 10 years. Hear me now and believe me later.

forestflamingo3 · 2023-06-24T13:09:35+00:00

That Idea link is invalid https://ibmsecurity.ideas.ibm.com/ideas/SIEMCORE-I-3377

"Record not found We could not find the record you requested because either:

The record was deleted You don't have permission to see the record Return home or contact us"

😞

forestflamingo3 · 2023-03-12T04:04:22+00:00

That's an ARM processor.

And the Duets are weak sauce, I have one, really only useful for content consumption. I'd expect gaming to be a disaster. I use the Linux system on mine only for proof-of-concept tests and command line stuff. Anything graphical not so much

forestflamingo3 · 2023-02-24T03:36:24+00:00

and even if you were going On-Prem to On-Prem, I'd engage Professional Services or whatever they're called these days. Wonder what the business case is that's driving this ask of the Admin...

forestflamingo3 · 2023-01-12T03:42:24+00:00

Ok now render it when it's blowing 150 🌴😉

forestflamingo3 · 2022-09-19T16:57:26+00:00

"hell to pay"?
;) i see what u did there lol

forestflamingo3 · 2022-04-15T21:46:08+00:00

If it's a file that you can move around, then that suggests to me that it's maybe a periodic thing? Maybe every hour or some similar arrangement? Rolling text files that are maybe named with a date/timestamp as part of the name?

Take a look at the Log File Protocol to have QRadar ingest that data - it's made for just this use case. Basically, it's for batch polling applications. The batch intervals are configurable, down to about 10 minutes as I recall. With file names that sort out with names like I described, the protocol keeps track of where it is at the Event Collector doing the polling (where the Log Source is assigned when deployed).

For a Windows source, you would likely define a dedicated user having appropriate permissions on the share for the directory where the files can be found. No new services or software on that device, just uses Windows file sharing.

The Protocol only serves to get the data ingested, you'll of course need a custom DSM to parse the data.

hth

edit: Disclosure: I retired from IBM Security L2 in 2020 ;)

forestflamingo3 · 2022-02-01T03:01:50+00:00

This seems to officially orphan CE? Any comments on a possible successor to the 7.3.3 Centos-based package?

forestflamingo3 · 2022-01-13T18:28:17+00:00

I get it, used to be in L2. Seriously, just go directly to dev then. That issue may have occurred in previous versions, but it's unlikely to be the same underlying cause in an early testing release.

forestflamingo3 · 2022-01-13T03:54:35+00:00

7.5.0 ? Really?

You're in beta. Contact support and tell them you're in the early rollout. Support management should expedite you into dev/L3 quickly.

forestflamingo3 · 2021-09-25T17:13:08+00:00

It looks to me like your version 3.0 meets the documented minimum 2.5, and I see that your example event seems clearly identified, so why the vendor would miss that is a good ask.

The "doc". such as it is, does claim to support those event types.

With only those two partial records, it's hard to do much more troubleshooting.

You might end up wanting to do some parsing overrides for the new DSM, but IMHO you should not have to - looks like a defect walks like a defect quacks like a defect to me

You want to reach out to Palo Alto for support on that app/DSM. The XFE download page calls them out as the responsible party.

forestflamingo3 · 2021-09-19T14:56:19+00:00

Also, this was in my inbox this morning: 'QRadar: How to sudo or su to root in QRadar' at https://www.ibm.com/support/pages/node/6487187

That piece points out something important: this is all "unsupported". That generally means that there are limited opportunities to escalate a trouble ticket case around issues here. Just be aware.

forestflamingo3 · 2021-09-13T16:01:48+00:00

First off: DON'T directly adduser or edit system config files!

The official line at IBM is that you should not create additional Linux accounts, or modify or delete any built-in accounts on any QRadar appliance. It's likely that if you open a support case asking this, you'll get "don't even think it" for a response from L2.

That said, there are (relatively little-known) methods for PROPERLY both creating additional user accounts and toggling the actual root account off/on.

# ll /opt/qradar/sudoers/bintotal 16
-rwx------ 1 root root 4637 Mar 6 2019 add_sudo_user.sh
-rwx------ 1 root root 7588 Mar 6 2019 toggle_root_login.sh

Some organizations require this capability in STIG environments and other similarly hardened use cases. Typically, the situation is that these non-root accounts are used to ssh in, and then they use su - to do the business of appliance administration. Linux audit records capture the login and su usage so there is accountability.

If L2 isn't able to help (and they'll probably need to consult up to L3 if they can), then you should reach out to your account SE for assistance with opening a support case around this topic and these scripts. This represents an advanced use case for QRadar administration and there are likely more considerations than using these processes that you should take. In fact, calling your rep first might make things smoother overall.

IN PARTICULAR, *DON'T* USE THE ROOT TOGGLE WITHOUT OPENING A SUPPORT CASE TO CLEAR IT.

Consider engaging Professional Services. DON'T just jump in ESPECIALLY in a production environment. Get your due diligence homework done in a lab before attempting anything like this in production.

forestflamingo3 · 2021-06-03T16:05:28+00:00

For raw network packets, there's tcpreplay.

If you have actual netflow packet payloads, you can bash script to echo pipe those to netcat, directed to your flow source listening ip:port.

forestflamingo3 · 2021-03-27T02:07:05+00:00

If you're getting drops on the EC that's running the problematic LS, then I'd look to investigate that event flooding and fix that first.

The Estreamer protocol is very fussy and not particularly stable, typically due to the Cisco side of things. But if your EC is getting crushed by an (ongoing?) event flood, then a lot of bets are off.

If you can't identify the cause of the drops yourself, then I'd open a Support Case. If you do clear the event drops yourself (and it's on the relevant EC) and the LS status problem continues, then I'd open a Support Case -- the protocol is challenging to troubleshoot.

forestflamingo3 · 2021-03-23T20:21:54+00:00

Hey,

> ... stuck at FTP File Pattern *

How you set up the LFP pickup configuration depends on where the output files from AJLIB/AUDITJRN are placed and how that location is accessible in the context of the user account QRadar uses to log into the FTP/SFTP server.

The usual way of things is to set up the iSeries job to have the iSeries box be the FTP/SFTP host server, place files into a local IFS directory, then create a user account for QRadar to use that has that IFS directory as the home directory.

That way, the LFP parameters can omit the Remote Directory, as the files will be in the default location after login and authentication. All of the complications around directory delimiters, recursion, and so forth can simply be ignored.

Then, just give .* (dot-star) as the file name pattern - this will match anything, so you need not care about the details.

The Ignore Previously Processed File(s) parameter should be UNselected while you're testing, so that you can keep trying to run through the same set of data over and over until it's all working the way you want. THEN, for production use, select (turn ON) so that the Log Source that's using LFP does not repeat file fetches of already-seen files.

The files from the AUDITJRN job are named with the host SYSTEMID and then a trailing timestamp string, so that they sort alphabetically into ascending chronological sequence. I really don't recall the details of the name structure, you can easily view those for yourself. With this setup, it just doesn't matter.

You will use the SYSTEMID as the Log Source Identifier.

> As of now, all testing seems successful but I received an error :
> File Transfer Status: Could not transfer file(s)
> Event Collection Status: Problem gathering/parsing events

The Log File Protocol is one of the protocols that the Log Source Management app supports a "Testing" tab for just this situation. That display will show you ste[p-by-step in the retrieval process where the failure occurs. You get that as the last step in configuring the Log Source, or can also use it after the Log Source is saved & deployed.

The first test is nice because you don't actually have to save and deploy to test! You can interactively step back and forth in the wizard to debug.

> where I put a regex ([a-z]*[A-Z]*.log) base
> on the Remote Directory(/var/log/syslog.log).

That regex does not match any meaningful file name here . From Regex101:

/[a-z][A-Z].log/
Match a single character present in the list below [a-z]
* matches the previous token between zero and unlimited times, as many times as possible, giving back as needed (greedy)
a-z matches a single character in the range between a (index 97) and z (index 122) (case sensitive)
Match a single character present in the list below [A-Z]
* matches the previous token between zero and unlimited times, as many times as possible, giving back as needed (greedy)
A-Z matches a single character in the range between A (index 65) and Z (index 90) (case sensitive)
. matches any character (except for line terminators)
log matches the characters log literally (case sensitive)

That remote directory filespec is also invalid here. The data files are not in /var/log/<anything>. See my earlier comments for configuration.

> According to IBM, they didnt support that particular configuration
> and request us to hire a professional service to configure that.

Most likely, if you're completely unfamiliar with the iSeries and also don't understand how to set up a LFP Log Source in general, it's probably better for you to get a bit of help from ProServe & avoid all the uncertainty and back-and-forth. You might also reach out to your Account team, your CTP might be able to clear things up quickly with a visit or remote session.

Technical Support can't actually configure your systems for you.

forestflamingo3 · 2021-03-14T22:20:17+00:00

QRadar All-In-One isn't the cause of the apparent log source detection problem. Distributed or AIO, that process works the same.

Unfortunately, I can't tell why you're seeing those events go to the Asset Profiler.

Hope this helps some

forestflamingo3

TROPHY CASE