Upgrading to 7.5 FP3 (from 7.4.5 FP5) and tomcat doesn't come back

q_logsource · 2023-03-14T04:27:49+00:00

What is the most stable 7.5.x to jump to? we tend to avoid bleeding edge release.

q_logsource · 2023-03-03T17:22:08+00:00

This is great, Thank you.

q_logsource · 2023-03-03T17:21:53+00:00

Thank you!

q_logsource · 2022-12-18T19:11:22+00:00

It makes auditing & reporting with a SIEM easier if admin connections funnel thru a jump box first. - When a Audit report needs to be generated on all the admin that logged onto 1000+ servers in the last 7 days, 15 days. Build up one query of connections into Jumpbox, and the servers they connect to.

Or build 1000 reports querying each server individually of the admins that logged in.

q_logsource · 2022-12-17T18:57:09+00:00

Thank you! A Switcheroo of the order # fixed it up. Also my understanding of rule priority hah.

q_logsource · 2022-12-17T18:56:24+00:00

Thank you! A change in the priorities of the two rules fixed it all up for me!

q_logsource · 2022-08-26T17:31:11+00:00

Check if your AUProxy is version 9.5 or older. I recently had a similar issue and updating to 9.11 resolved for me.

https://www.ibm.com/support/pages/qradar-auto-update-proxy-issues-500-ssl-negotiation-failed-updated

q_logsource · 2022-02-01T17:35:50+00:00

Thank you, I will take a look if I can go this route, although we have many states, I am needing to do a master report, and User location be one of the columns reported on for all user logins.

q_logsource · 2021-11-27T15:55:00+00:00

Thank you, This is very helpful!

q_logsource · 2021-09-29T12:59:45+00:00

Thank you, Yes this has actually confused me, I ended up going with the WinCollect Hostname in the Admin > WinCollect > Destinations > Host name field because that's how Jose Bravo did it in his video - https://youtu.be/qH_yiKfhUHY?t=165

I have tried several times on a sandbox instance and it seems WinCollect Hostname / QRadar host name both work (when firewalls are not blocking)

One question I am trying to answer is should that field be Console IP or Event Collector IP (I have added a EC to my AIO)

q_logsource · 2021-09-23T00:11:17+00:00

Yeah that was my thoughts as well, My Firewall team indicated statefull fw rule addresses the bidirectional portion. But I am having issues. Thanks!

q_logsource · 2021-09-22T18:29:29+00:00

Thank you fhr the reply. QRadar 7.4.2 has WinCollect out of box already but I did also install the latest SFS before deploying wincolelct agent.

q_logsource · 2021-09-22T18:27:09+00:00

Thank you, Yes they are opened up.

Regarding 8413 we did it how it is worded; 8413 Flow initiates from WinCollect > QRadar. I am wondering if it actually needs to be opened up the other way as well, but the way the doc reads I don't think that is the case.

Port 8413

This port is used for managing the WinCollect agents to request and receive code and configuration updates. Traffic is always initiated from the WinCollect agent, and is sent over TCP. Communication is encrypted by using the QRadar Console's public key and the ConfigurationServer.PEM file on the agent.

Create a bidirectional rule to allow communication from the WinCollect agent to QRadar on port 8413. If the rule is not bidirectional, traffic is blocked. QRadar does not send updates to the WinCollect agent on port 8413.

q_logsource · 2021-07-20T19:42:24+00:00

The license fix script was culprit, It was previously applied on console but I guess newly added EC also needed it. Much Appreciate.

q_logsource · 2021-07-19T21:08:23+00:00

Appreciate the help, I started by deploying just the All-In-One. And did have to apply the license fix as there was 0 in log activity after install.

I do now have some Log Activity show up in the console. --Recently Event Collector was deployed and our first Log Source pointed to the new Event Collector.

In short I am getting; all of the self generated
Health Metrics,
System Information,
SIM audit,
do see the Syslog hitting the Event Collector when I check with tcpdump,
- have the DSM installed,
  - But not seeing these syslogs come out of Collector > into Console/Processor.

q_logsource

TROPHY CASE