QRadar Offsite LSX Development Requirements

Requirements
Following information should be provided for each unsupported device need to be connected with QRadar via LSX
module:

1. Log Type:
o Syslog
o Single-line text file
o Multi-line text file
o Binary file
o Database table
o API call
o Etc.
2. Assumed communication/collection protocol:
o Syslog
o FTP
o SSH
o SMB
o JDBC
3. Text log sample(s)/DB table dump. Quality of LSX module depends on amount of security-related events,
containing:
o IP addresses
o Host names
o User names
o Object names
o Action types
o Etc.
Note: please provide the biggest set of logs you can get for most complete events coverage.
4. Application name and version
5. Target operating system and version
6. Target Database type and version
7. Log file location on the file system / DB table name
8. Log file rotation/retention mechanism details:
o Type: by size, by date-time, other conditions
o Count: maximum number of files in log folder
o Active Name: file name pattern for active log file
o Backup Name: file name pattern for rotated (backup) log file
o Compression: is compressions in enabled for rotated logs?
o Active Only: do we need to support only active log, or all backup logs as well

See the sample request for 3 LSX modules development on the next page.
Sample
Log Type Proto Application OS DB Type Location Retention Details
Name
Text/single line SSH BankApp HPUX 11iv3 N/A /var/log/ Type: rotate each 10 MB
v.2.3 Count: 10
ActiveName: banking001.log
BackupName: banking001.log.XX (XX=0-9)
Packed: gzip
ActiveOnly: yes
DB table JDBC E-Trade 1.0 Windows 2003 Oracle 10g AUDIT_TBL Manual cleanup
Windows Event Log RCP/DCOM Quartz 1.32 Windows 2012 N/A Application Log Default for Windows Application Log